├── .github └── workflows │ ├── codespell.yml │ ├── release.yml │ └── test.yml ├── .gitignore ├── .rubocop.yml ├── CHANGELOG.md ├── CONTRIBUTING.md ├── Gemfile ├── LICENSE ├── README.md ├── Rakefile ├── controls ├── account_policies.rb ├── administrative_templates_computer.rb ├── administrative_templates_user.rb ├── advanced_audit_policy_configuration.rb ├── advanced_windows_security_from_best_practices.rb ├── local_policies.rb └── windows_firewall_with_advanced_security.rb ├── inspec.yml └── renovate.json /.github/workflows/codespell.yml: -------------------------------------------------------------------------------- 1 | --- 2 | name: Codespell - Spellcheck 3 | 4 | on: # yamllint disable-line rule:truthy 5 | push: 6 | branches: [master] 7 | pull_request: 8 | branches: [master] 9 | 10 | jobs: 11 | codespell: 12 | uses: "dev-sec/.github/.github/workflows/codespell.yml@main" 13 | with: 14 | ignore_words_list: "bund,seh,ois" 15 | -------------------------------------------------------------------------------- /.github/workflows/release.yml: -------------------------------------------------------------------------------- 1 | name: New release 2 | 3 | on: 4 | push: 5 | branches: 6 | - master 7 | 8 | jobs: 9 | generate_changelog: 10 | uses: dev-sec/.github/.github/workflows/baseline-release.yml@main 11 | -------------------------------------------------------------------------------- /.github/workflows/test.yml: -------------------------------------------------------------------------------- 1 | name: Test 2 | 3 | on: 4 | push: 5 | branches: [ master ] 6 | pull_request: 7 | branches: [ master ] 8 | schedule: 9 | - cron: '0 6 * * *' 10 | 11 | jobs: 12 | test: 13 | uses: dev-sec/.github/.github/workflows/baseline-test.yml@main 14 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | vendor/ 2 | *.bak 3 | *.lock 4 | .envrc 5 | 6 | .vagrant 7 | *~ 8 | *# 9 | .#* 10 | \#*# 11 | .*.sw[a-z] 12 | *.un~ 13 | 14 | # Bundler 15 | Gemfile.lock 16 | gems.locked 17 | bin/* 18 | .bundle/* 19 | -------------------------------------------------------------------------------- /.rubocop.yml: -------------------------------------------------------------------------------- 1 | --- 2 | AllCops: 3 | Exclude: 4 | - vendor/**/* 5 | -------------------------------------------------------------------------------- /CHANGELOG.md: -------------------------------------------------------------------------------- 1 | # Changelog 2 | 3 | ## [2.1.10](https://github.com/dev-sec/windows-baseline/tree/2.1.10) (2023-05-02) 4 | 5 | [Full Changelog](https://github.com/dev-sec/windows-baseline/compare/2.1.9...2.1.10) 6 | 7 | **Fixed bugs:** 8 | 9 | - use correct default value for attribute level\_1\_or\_2 [\#65](https://github.com/dev-sec/windows-baseline/pull/65) ([schurzi](https://github.com/schurzi)) 10 | 11 | **Merged pull requests:** 12 | 13 | - add spellchecking with codespell [\#67](https://github.com/dev-sec/windows-baseline/pull/67) ([schurzi](https://github.com/schurzi)) 14 | - Configure Renovate [\#66](https://github.com/dev-sec/windows-baseline/pull/66) ([renovate[bot]](https://github.com/apps/renovate)) 15 | - Always use HKEY\_LOCAL\_MACHINE\ when checking registry keys [\#64](https://github.com/dev-sec/windows-baseline/pull/64) ([spencer-cdw](https://github.com/spencer-cdw)) 16 | 17 | ## [2.1.9](https://github.com/dev-sec/windows-baseline/tree/2.1.9) (2022-10-27) 18 | 19 | [Full Changelog](https://github.com/dev-sec/windows-baseline/compare/2.1.8...2.1.9) 20 | 21 | **Implemented enhancements:** 22 | 23 | - use centralised issue templates and workflows [\#62](https://github.com/dev-sec/windows-baseline/pull/62) ([schurzi](https://github.com/schurzi)) 24 | 25 | **Fixed bugs:** 26 | 27 | - Error `undefined method `positive?' for #` [\#59](https://github.com/dev-sec/windows-baseline/issues/59) 28 | - Fix local\_policies 'no such value .positive?' [\#61](https://github.com/dev-sec/windows-baseline/pull/61) ([spencer-cdw](https://github.com/spencer-cdw)) 29 | - Revert lint breaking .positive [\#60](https://github.com/dev-sec/windows-baseline/pull/60) ([spencer-cdw](https://github.com/spencer-cdw)) 30 | 31 | **Merged pull requests:** 32 | 33 | - Change linting to Cookstyle [\#58](https://github.com/dev-sec/windows-baseline/pull/58) ([schurzi](https://github.com/schurzi)) 34 | 35 | ## [2.1.8](https://github.com/dev-sec/windows-baseline/tree/2.1.8) (2022-01-12) 36 | 37 | [Full Changelog](https://github.com/dev-sec/windows-baseline/compare/2.1.7...2.1.8) 38 | 39 | **Merged pull requests:** 40 | 41 | - Minimum requirements [\#57](https://github.com/dev-sec/windows-baseline/pull/57) ([micheelengronne](https://github.com/micheelengronne)) 42 | - fix rubocop error for Rakefile [\#53](https://github.com/dev-sec/windows-baseline/pull/53) ([schurzi](https://github.com/schurzi)) 43 | - add dependency to chef-config for CI [\#52](https://github.com/dev-sec/windows-baseline/pull/52) ([schurzi](https://github.com/schurzi)) 44 | - use version tag for changelog action [\#51](https://github.com/dev-sec/windows-baseline/pull/51) ([schurzi](https://github.com/schurzi)) 45 | 46 | ## [2.1.7](https://github.com/dev-sec/windows-baseline/tree/2.1.7) (2021-01-29) 47 | 48 | [Full Changelog](https://github.com/dev-sec/windows-baseline/compare/2.1.6...2.1.7) 49 | 50 | **Merged pull requests:** 51 | 52 | - Fix lint [\#50](https://github.com/dev-sec/windows-baseline/pull/50) ([schurzi](https://github.com/schurzi)) 53 | - GitHub action [\#49](https://github.com/dev-sec/windows-baseline/pull/49) ([rndmh3ro](https://github.com/rndmh3ro)) 54 | 55 | ## [2.1.6](https://github.com/dev-sec/windows-baseline/tree/2.1.6) (2020-08-07) 56 | 57 | [Full Changelog](https://github.com/dev-sec/windows-baseline/compare/2.1.5...2.1.6) 58 | 59 | **Closed issues:** 60 | 61 | - False Positives due to integers in strings [\#45](https://github.com/dev-sec/windows-baseline/issues/45) 62 | 63 | **Merged pull requests:** 64 | 65 | - Fixes comparisons when registry key data type are REG\_SZ [\#46](https://github.com/dev-sec/windows-baseline/pull/46) ([imjoseangel](https://github.com/imjoseangel)) 66 | 67 | ## [2.1.5](https://github.com/dev-sec/windows-baseline/tree/2.1.5) (2020-07-23) 68 | 69 | [Full Changelog](https://github.com/dev-sec/windows-baseline/compare/2.1.4...2.1.5) 70 | 71 | **Closed issues:** 72 | 73 | - Typo FontBocking/FontBlocking? [\#35](https://github.com/dev-sec/windows-baseline/issues/35) 74 | 75 | ## [2.1.4](https://github.com/dev-sec/windows-baseline/tree/2.1.4) (2020-06-30) 76 | 77 | [Full Changelog](https://github.com/dev-sec/windows-baseline/compare/2.1.3...2.1.4) 78 | 79 | **Fixed bugs:** 80 | 81 | - Fixes SeIncreaseQuotaPrivilege [\#44](https://github.com/dev-sec/windows-baseline/pull/44) ([imjoseangel](https://github.com/imjoseangel)) 82 | - Fixes Readme copy and paste. Formats author table in readme [\#41](https://github.com/dev-sec/windows-baseline/pull/41) ([imjoseangel](https://github.com/imjoseangel)) 83 | 84 | **Closed issues:** 85 | 86 | - copy / paste error in README.md [\#38](https://github.com/dev-sec/windows-baseline/issues/38) 87 | - The 'should include' does not check for unwanted accounts [\#20](https://github.com/dev-sec/windows-baseline/issues/20) 88 | 89 | ## [2.1.3](https://github.com/dev-sec/windows-baseline/tree/2.1.3) (2020-06-18) 90 | 91 | [Full Changelog](https://github.com/dev-sec/windows-baseline/compare/2.1.2...2.1.3) 92 | 93 | **Merged pull requests:** 94 | 95 | - version alignment [\#40](https://github.com/dev-sec/windows-baseline/pull/40) ([micheelengronne](https://github.com/micheelengronne)) 96 | 97 | ## [2.1.2](https://github.com/dev-sec/windows-baseline/tree/2.1.2) (2020-06-18) 98 | 99 | [Full Changelog](https://github.com/dev-sec/windows-baseline/compare/2.1.1...2.1.2) 100 | 101 | **Closed issues:** 102 | 103 | - formatting error when executing profile [\#34](https://github.com/dev-sec/windows-baseline/issues/34) 104 | - LAN Manager authentication level incorrect [\#25](https://github.com/dev-sec/windows-baseline/issues/25) 105 | - Should we close SeNetworkLogonRight for all users? [\#19](https://github.com/dev-sec/windows-baseline/issues/19) 106 | - The title of each test should clearly state what should be done [\#18](https://github.com/dev-sec/windows-baseline/issues/18) 107 | 108 | **Merged pull requests:** 109 | 110 | - github actions release [\#39](https://github.com/dev-sec/windows-baseline/pull/39) ([micheelengronne](https://github.com/micheelengronne)) 111 | - replace the german text to english and fix the windows 2012r2 tag [\#37](https://github.com/dev-sec/windows-baseline/pull/37) ([atomic111](https://github.com/atomic111)) 112 | - Feature/inspec4alerts [\#33](https://github.com/dev-sec/windows-baseline/pull/33) ([imjoseangel](https://github.com/imjoseangel)) 113 | 114 | ## [2.1.1](https://github.com/dev-sec/windows-baseline/tree/2.1.1) (2019-06-11) 115 | 116 | [Full Changelog](https://github.com/dev-sec/windows-baseline/compare/2.1.0...2.1.1) 117 | 118 | **Merged pull requests:** 119 | 120 | - Replace German characters to avoid exec failures and bump version to 2.1.1 [\#36](https://github.com/dev-sec/windows-baseline/pull/36) ([alexpop](https://github.com/alexpop)) 121 | - Update administrative\_templates\_computer.rb [\#32](https://github.com/dev-sec/windows-baseline/pull/32) ([Staggerlee011](https://github.com/Staggerlee011)) 122 | - fix missing "o" in windows-245 [\#31](https://github.com/dev-sec/windows-baseline/pull/31) ([rndmh3ro](https://github.com/rndmh3ro)) 123 | 124 | ## [2.1.0](https://github.com/dev-sec/windows-baseline/tree/2.1.0) (2019-05-16) 125 | 126 | [Full Changelog](https://github.com/dev-sec/windows-baseline/compare/2.0.0...2.1.0) 127 | 128 | **Merged pull requests:** 129 | 130 | - Update gems and bump profile version to 2.1.0 [\#30](https://github.com/dev-sec/windows-baseline/pull/30) ([alexpop](https://github.com/alexpop)) 131 | 132 | ## [2.0.0](https://github.com/dev-sec/windows-baseline/tree/2.0.0) (2019-05-15) 133 | 134 | [Full Changelog](https://github.com/dev-sec/windows-baseline/compare/1.2.0...2.0.0) 135 | 136 | **Merged pull requests:** 137 | 138 | - New windows cis profile for win2012r2 and 2016 [\#27](https://github.com/dev-sec/windows-baseline/pull/27) ([atomic111](https://github.com/atomic111)) 139 | 140 | ## [1.2.0](https://github.com/dev-sec/windows-baseline/tree/1.2.0) (2019-05-15) 141 | 142 | [Full Changelog](https://github.com/dev-sec/windows-baseline/compare/1.1.2...1.2.0) 143 | 144 | **Merged pull requests:** 145 | 146 | - correct license style and bump version to 1.1.3 [\#28](https://github.com/dev-sec/windows-baseline/pull/28) ([atomic111](https://github.com/atomic111)) 147 | - Update common [\#26](https://github.com/dev-sec/windows-baseline/pull/26) ([atomic111](https://github.com/atomic111)) 148 | - Update issue templates [\#24](https://github.com/dev-sec/windows-baseline/pull/24) ([rndmh3ro](https://github.com/rndmh3ro)) 149 | - fixing control for 'cis-access-cred-manager-2.2.1' [\#23](https://github.com/dev-sec/windows-baseline/pull/23) ([wer-sce](https://github.com/wer-sce)) 150 | 151 | ## [1.1.2](https://github.com/dev-sec/windows-baseline/tree/1.1.2) (2019-03-26) 152 | 153 | [Full Changelog](https://github.com/dev-sec/windows-baseline/compare/1.1.0...1.1.2) 154 | 155 | **Closed issues:** 156 | 157 | - boolean 'or' logic for describe block [\#21](https://github.com/dev-sec/windows-baseline/issues/21) 158 | 159 | **Merged pull requests:** 160 | 161 | - Fixed spelling error [\#17](https://github.com/dev-sec/windows-baseline/pull/17) ([hannah-radish](https://github.com/hannah-radish)) 162 | - Move SMB1 control to windows-baseline [\#16](https://github.com/dev-sec/windows-baseline/pull/16) ([yvovandoorn](https://github.com/yvovandoorn)) 163 | 164 | ## [1.1.0](https://github.com/dev-sec/windows-baseline/tree/1.1.0) (2017-05-08) 165 | 166 | [Full Changelog](https://github.com/dev-sec/windows-baseline/compare/1.0.1...1.1.0) 167 | 168 | **Implemented enhancements:** 169 | 170 | - The baseline should be organized by components [\#6](https://github.com/dev-sec/windows-baseline/issues/6) 171 | 172 | **Closed issues:** 173 | 174 | - Licensing information mismatch? [\#4](https://github.com/dev-sec/windows-baseline/issues/4) 175 | 176 | **Merged pull requests:** 177 | 178 | - update metadata [\#15](https://github.com/dev-sec/windows-baseline/pull/15) ([chris-rock](https://github.com/chris-rock)) 179 | - Privacy [\#13](https://github.com/dev-sec/windows-baseline/pull/13) ([MattTunny](https://github.com/MattTunny)) 180 | - add cis tags for some controls [\#12](https://github.com/dev-sec/windows-baseline/pull/12) ([chris-rock](https://github.com/chris-rock)) 181 | - add references to powershell hardening [\#11](https://github.com/dev-sec/windows-baseline/pull/11) ([chris-rock](https://github.com/chris-rock)) 182 | - restrict ruby testing in travis to 2.3.3 [\#10](https://github.com/dev-sec/windows-baseline/pull/10) ([chris-rock](https://github.com/chris-rock)) 183 | - added powershell test [\#9](https://github.com/dev-sec/windows-baseline/pull/9) ([MattTunny](https://github.com/MattTunny)) 184 | - rename controls [\#8](https://github.com/dev-sec/windows-baseline/pull/8) ([chris-rock](https://github.com/chris-rock)) 185 | - add contribution guidelines [\#7](https://github.com/dev-sec/windows-baseline/pull/7) ([chris-rock](https://github.com/chris-rock)) 186 | 187 | ## [1.0.1](https://github.com/dev-sec/windows-baseline/tree/1.0.1) (2017-02-01) 188 | 189 | [Full Changelog](https://github.com/dev-sec/windows-baseline/compare/5b20a47a9d7ce334d28800aa5719e5bf83fd3898...1.0.1) 190 | 191 | **Merged pull requests:** 192 | 193 | - Removed per control licensing as repo is under Apache 2.0 [\#5](https://github.com/dev-sec/windows-baseline/pull/5) ([grdnrio](https://github.com/grdnrio)) 194 | - 1.0.0 [\#3](https://github.com/dev-sec/windows-baseline/pull/3) ([chris-rock](https://github.com/chris-rock)) 195 | - Switched from Nil to Nobody SID due to mismatch on 2012R2 [\#2](https://github.com/dev-sec/windows-baseline/pull/2) ([grdnrio](https://github.com/grdnrio)) 196 | - Joeg/sid refactor [\#1](https://github.com/dev-sec/windows-baseline/pull/1) ([grdnrio](https://github.com/grdnrio)) 197 | 198 | 199 | 200 | \* *This Changelog was automatically generated by [github_changelog_generator](https://github.com/github-changelog-generator/github-changelog-generator)* 201 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | ## Contribution Guidelines 2 | 3 | ### Sign your work 4 | 5 | The sign-off is a simple line at the end of the explanation for the 6 | patch, which certifies that you wrote the contribution or otherwise have the 7 | right to pass it on as an open-source patch. The rules (from 8 | [developercertificate.org](http://developercertificate.org/)): 9 | 10 | ``` 11 | Developer Certificate of Origin 12 | Version 1.1 13 | 14 | Copyright (C) 2004, 2006 The Linux Foundation and its contributors. 15 | 660 York Street, Suite 102, 16 | San Francisco, CA 94110 USA 17 | 18 | Everyone is permitted to copy and distribute verbatim copies of this 19 | license document, but changing it is not allowed. 20 | 21 | 22 | Developer's Certificate of Origin 1.1 23 | 24 | By making a contribution to this project, I certify that: 25 | 26 | (a) The contribution was created in whole or in part by me and I 27 | have the right to submit it under the open source license 28 | indicated in the file; or 29 | 30 | (b) The contribution is based upon previous work that, to the best 31 | of my knowledge, is covered under an appropriate open source 32 | license and I have the right under that license to submit that 33 | work with modifications, whether created in whole or in part 34 | by me, under the same open source license (unless I am 35 | permitted to submit under a different license), as indicated 36 | in the file; or 37 | 38 | (c) The contribution was provided directly to me by some other 39 | person who certified (a), (b) or (c) and I have not modified 40 | it. 41 | 42 | (d) I understand and agree that this project and the contribution 43 | are public and that a record of the contribution (including all 44 | personal information I submit with it, including my sign-off) is 45 | maintained indefinitely and may be redistributed consistent with 46 | this project or the open source license(s) involved. 47 | ``` 48 | 49 | you just add the sign-off line to every git commit message: 50 | 51 | Signed-off-by: John Doe 52 | 53 | using your real name (no pseudonyms or anonymous contributions) 54 | 55 | You can add the sign off when creating the git commit via `git commit -s`. 56 | -------------------------------------------------------------------------------- /Gemfile: -------------------------------------------------------------------------------- 1 | # frozen_string_literal: true 2 | 3 | source 'https://rubygems.org' 4 | 5 | gem 'cookstyle' 6 | gem 'highline' 7 | gem 'rack' 8 | gem 'rake' 9 | gem 'rubocop' 10 | 11 | group :tools do 12 | gem 'github_changelog_generator' 13 | gem 'pry-coolline' 14 | end 15 | 16 | source 'https://packagecloud.io/cinc-project/stable' do 17 | gem 'chef-config' 18 | gem 'cinc-auditor-bin' 19 | end 20 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | 2 | Apache License 3 | Version 2.0, January 2004 4 | http://www.apache.org/licenses/ 5 | 6 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 7 | 8 | 1. Definitions. 9 | 10 | "License" shall mean the terms and conditions for use, reproduction, 11 | and distribution as defined by Sections 1 through 9 of this document. 12 | 13 | "Licensor" shall mean the copyright owner or entity authorized by 14 | the copyright owner that is granting the License. 15 | 16 | "Legal Entity" shall mean the union of the acting entity and all 17 | other entities that control, are controlled by, or are under common 18 | control with that entity. For the purposes of this definition, 19 | "control" means (i) the power, direct or indirect, to cause the 20 | direction or management of such entity, whether by contract or 21 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 22 | outstanding shares, or (iii) beneficial ownership of such entity. 23 | 24 | "You" (or "Your") shall mean an individual or Legal Entity 25 | exercising permissions granted by this License. 26 | 27 | "Source" form shall mean the preferred form for making modifications, 28 | including but not limited to software source code, documentation 29 | source, and configuration files. 30 | 31 | "Object" form shall mean any form resulting from mechanical 32 | transformation or translation of a Source form, including but 33 | not limited to compiled object code, generated documentation, 34 | and conversions to other media types. 35 | 36 | "Work" shall mean the work of authorship, whether in Source or 37 | Object form, made available under the License, as indicated by a 38 | copyright notice that is included in or attached to the work 39 | (an example is provided in the Appendix below). 40 | 41 | "Derivative Works" shall mean any work, whether in Source or Object 42 | form, that is based on (or derived from) the Work and for which the 43 | editorial revisions, annotations, elaborations, or other modifications 44 | represent, as a whole, an original work of authorship. For the purposes 45 | of this License, Derivative Works shall not include works that remain 46 | separable from, or merely link (or bind by name) to the interfaces of, 47 | the Work and Derivative Works thereof. 48 | 49 | "Contribution" shall mean any work of authorship, including 50 | the original version of the Work and any modifications or additions 51 | to that Work or Derivative Works thereof, that is intentionally 52 | submitted to Licensor for inclusion in the Work by the copyright owner 53 | or by an individual or Legal Entity authorized to submit on behalf of 54 | the copyright owner. For the purposes of this definition, "submitted" 55 | means any form of electronic, verbal, or written communication sent 56 | to the Licensor or its representatives, including but not limited to 57 | communication on electronic mailing lists, source code control systems, 58 | and issue tracking systems that are managed by, or on behalf of, the 59 | Licensor for the purpose of discussing and improving the Work, but 60 | excluding communication that is conspicuously marked or otherwise 61 | designated in writing by the copyright owner as "Not a Contribution." 62 | 63 | "Contributor" shall mean Licensor and any individual or Legal Entity 64 | on behalf of whom a Contribution has been received by Licensor and 65 | subsequently incorporated within the Work. 66 | 67 | 2. Grant of Copyright License. Subject to the terms and conditions of 68 | this License, each Contributor hereby grants to You a perpetual, 69 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 70 | copyright license to reproduce, prepare Derivative Works of, 71 | publicly display, publicly perform, sublicense, and distribute the 72 | Work and such Derivative Works in Source or Object form. 73 | 74 | 3. Grant of Patent License. Subject to the terms and conditions of 75 | this License, each Contributor hereby grants to You a perpetual, 76 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 77 | (except as stated in this section) patent license to make, have made, 78 | use, offer to sell, sell, import, and otherwise transfer the Work, 79 | where such license applies only to those patent claims licensable 80 | by such Contributor that are necessarily infringed by their 81 | Contribution(s) alone or by combination of their Contribution(s) 82 | with the Work to which such Contribution(s) was submitted. If You 83 | institute patent litigation against any entity (including a 84 | cross-claim or counterclaim in a lawsuit) alleging that the Work 85 | or a Contribution incorporated within the Work constitutes direct 86 | or contributory patent infringement, then any patent licenses 87 | granted to You under this License for that Work shall terminate 88 | as of the date such litigation is filed. 89 | 90 | 4. Redistribution. You may reproduce and distribute copies of the 91 | Work or Derivative Works thereof in any medium, with or without 92 | modifications, and in Source or Object form, provided that You 93 | meet the following conditions: 94 | 95 | (a) You must give any other recipients of the Work or 96 | Derivative Works a copy of this License; and 97 | 98 | (b) You must cause any modified files to carry prominent notices 99 | stating that You changed the files; and 100 | 101 | (c) You must retain, in the Source form of any Derivative Works 102 | that You distribute, all copyright, patent, trademark, and 103 | attribution notices from the Source form of the Work, 104 | excluding those notices that do not pertain to any part of 105 | the Derivative Works; and 106 | 107 | (d) If the Work includes a "NOTICE" text file as part of its 108 | distribution, then any Derivative Works that You distribute must 109 | include a readable copy of the attribution notices contained 110 | within such NOTICE file, excluding those notices that do not 111 | pertain to any part of the Derivative Works, in at least one 112 | of the following places: within a NOTICE text file distributed 113 | as part of the Derivative Works; within the Source form or 114 | documentation, if provided along with the Derivative Works; or, 115 | within a display generated by the Derivative Works, if and 116 | wherever such third-party notices normally appear. The contents 117 | of the NOTICE file are for informational purposes only and 118 | do not modify the License. You may add Your own attribution 119 | notices within Derivative Works that You distribute, alongside 120 | or as an addendum to the NOTICE text from the Work, provided 121 | that such additional attribution notices cannot be construed 122 | as modifying the License. 123 | 124 | You may add Your own copyright statement to Your modifications and 125 | may provide additional or different license terms and conditions 126 | for use, reproduction, or distribution of Your modifications, or 127 | for any such Derivative Works as a whole, provided Your use, 128 | reproduction, and distribution of the Work otherwise complies with 129 | the conditions stated in this License. 130 | 131 | 5. Submission of Contributions. Unless You explicitly state otherwise, 132 | any Contribution intentionally submitted for inclusion in the Work 133 | by You to the Licensor shall be under the terms and conditions of 134 | this License, without any additional terms or conditions. 135 | Notwithstanding the above, nothing herein shall supersede or modify 136 | the terms of any separate license agreement you may have executed 137 | with Licensor regarding such Contributions. 138 | 139 | 6. Trademarks. This License does not grant permission to use the trade 140 | names, trademarks, service marks, or product names of the Licensor, 141 | except as required for reasonable and customary use in describing the 142 | origin of the Work and reproducing the content of the NOTICE file. 143 | 144 | 7. Disclaimer of Warranty. Unless required by applicable law or 145 | agreed to in writing, Licensor provides the Work (and each 146 | Contributor provides its Contributions) on an "AS IS" BASIS, 147 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 148 | implied, including, without limitation, any warranties or conditions 149 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 150 | PARTICULAR PURPOSE. You are solely responsible for determining the 151 | appropriateness of using or redistributing the Work and assume any 152 | risks associated with Your exercise of permissions under this License. 153 | 154 | 8. Limitation of Liability. In no event and under no legal theory, 155 | whether in tort (including negligence), contract, or otherwise, 156 | unless required by applicable law (such as deliberate and grossly 157 | negligent acts) or agreed to in writing, shall any Contributor be 158 | liable to You for damages, including any direct, indirect, special, 159 | incidental, or consequential damages of any character arising as a 160 | result of this License or out of the use or inability to use the 161 | Work (including but not limited to damages for loss of goodwill, 162 | work stoppage, computer failure or malfunction, or any and all 163 | other commercial damages or losses), even if such Contributor 164 | has been advised of the possibility of such damages. 165 | 166 | 9. Accepting Warranty or Additional Liability. While redistributing 167 | the Work or Derivative Works thereof, You may choose to offer, 168 | and charge a fee for, acceptance of support, warranty, indemnity, 169 | or other liability obligations and/or rights consistent with this 170 | License. However, in accepting such obligations, You may act only 171 | on Your own behalf and on Your sole responsibility, not on behalf 172 | of any other Contributor, and only if You agree to indemnify, 173 | defend, and hold each Contributor harmless for any liability 174 | incurred by, or claims asserted against, such Contributor by reason 175 | of your accepting any such warranty or additional liability. 176 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # windows-baseline 2 | 3 | [![Build Status](http://img.shields.io/travis/dev-sec/windows-baseline.svg)](http://travis-ci.org/dev-sec/windows-baseline) 4 | [![Supermarket](https://img.shields.io/badge/InSpec%20Profile-Windows%20Baseline-brightgreen.svg)](https://supermarket.chef.io/tools/windows-baseline) 5 | 6 | This Baseline ensures, that all hardening projects keep the same quality. 7 | 8 | - https://github.com/dev-sec/chef-windows-hardening 9 | - https://github.com/dev-sec/ansible-windows-hardening 10 | 11 | ## Description 12 | 13 | This [InSpec](https://github.com/chef/inspec) compliance profile is inspired by [CIS](https://downloads.cisecurity.org/) Windows 2012R2 and 2016 Benchmark and implements such rules in an automated way to provide security best-practice tests around Windows Servers in a production environment. 14 | 15 | __Implements:__ 16 | 17 | * CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018 18 | * CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018 19 | 20 | InSpec is an open-source run-time framework and rule language used to specify compliance, security, and policy requirements for testing any node in your infrastructure. 21 | 22 | ## Requirements 23 | 24 | * at least [InSpec](http://inspec.io/) Version 3.0.0 25 | * WinRM activated (for inspec remote usage) 26 | 27 | ### Platform 28 | 29 | - Windows 2012R2 30 | - Windows 2016 31 | - Windows 2019 32 | 33 | ## Attributes 34 | 35 | We use a yml attribute file to steer the configuration, the following options are available: 36 | 37 | * `level_1_or_2` 38 | define which CIS Benchmark Level (1 or 2) you want to execute 39 | 40 | * `ms_or_dc` 41 | define if you want to execute the profile in the context of a Member Server (MS) or Domain Controller (DC) 42 | 43 | * `password_history_size` 44 | define password history size 45 | 46 | * `maximum_password_age` 47 | define MaximumPasswordAge 48 | 49 | * `se_network_logon_right` 50 | define which users are allowed to access this computer from the network 51 | 52 | * `se_interactive_logon_right` 53 | define which users are allowed to log on locally 54 | 55 | * `se_remote_interactive_logon_right` 56 | define which users are allowed to log on through Remote Desktop Services 57 | 58 | * `se_backup_privilege` 59 | define which users are allowed to backup files and directories 60 | 61 | * `se_systemtime_privilege` 62 | define which users are allowed to change system time 63 | 64 | * `se_time_zone_privilege` 65 | define which users are allowed to change system time zone 66 | 67 | * `se_create_symbolic_link_privilege` 68 | define which users are allowed to create symbolic links 69 | 70 | * `se_deny_network_logon_right` 71 | define which users are not allowed to access this computer from the network 72 | 73 | * `se_deny_remote_interactive_logon_right` 74 | define which users are not allowed to log on through Remote Desktop Services 75 | 76 | * `se_enable_delegation_privilege` 77 | define which users are allowed to enable computer and user accounts to be trusted 78 | 79 | * `se_impersonate_privilege` 80 | define which users are allowed to impersonate a client after authentication 81 | 82 | * `se_load_driver_privilege` 83 | define which users are allowed to load and unload device drivers 84 | 85 | * `se_batch_logon_right` 86 | define which users are allowed to log on as a batch job 87 | 88 | * `se_security_privilege` 89 | define which users are allowed to manage auditing and security logs 90 | 91 | * `se_assign_primary_token_privilege` 92 | define which users are allowed to replace a process level token 93 | 94 | * `se_restore_privilege` 95 | define which users are allowed to restore files and directories 96 | 97 | ## Usage 98 | 99 | InSpec makes it easy to run your tests wherever you need. More options listed here: [InSpec cli](http://inspec.io/docs/reference/cli/) 100 | 101 | ``` 102 | # run profile locally and directly from Github 103 | $ inspec exec https://github.com/dev-sec/windows-baseline 104 | 105 | # run profile locally 106 | $ git clone https://github.com/dev-sec/windows-baseline 107 | $ inspec exec windows-baseline 108 | 109 | # run profile on remote host via WinRM 110 | inspec exec windows-baseline -t winrm://:5985 --user= --password= 111 | 112 | # run profile on remote host via WinRM and define attribute value 113 | inspec exec windows-baseline -t winrm://:5985 --user= --password= --attrs sample_attributes.yml 114 | 115 | # run profile direct from inspec supermarket 116 | inspec supermarket exec dev-sec/windows-baseline -t winrm://:5985 --user= --password= 117 | ``` 118 | 119 | ### Run individual controls 120 | 121 | In order to verify individual controls, just provide the control ids to InSpec: 122 | 123 | ``` 124 | inspec exec windows-baseline --controls 'windows-001' 125 | ``` 126 | 127 | ## ToDo 128 | 129 | - adjust the inspec attributes according to the profile (Member Server or Domain Controller), because for the Domain Controller some attributes are different from a Member Server 130 | 131 | ## Contributors + Kudos 132 | 133 | * Patrick Muench [atomic111](https://github.com/atomic111) 134 | * Torsten Löbner [TLoebner](https://github.com/TLoebner) 135 | * Karsten Mueller [karstenmueller](https://github.com/karstenmueller) 136 | 137 | ## License and Author 138 | 139 | | | | 140 | |----------------|-----------------------------------------------| 141 | | **Author:** | Patrick Muench | 142 | | **Author:** | Torsten Loebner | 143 | | **Copyright:** | 2019 SVA System Vertrieb Alexander GmbH | 144 | | **Copyright:** | 2019 Lichtblick SE | 145 | | **Copyright:** | 2015-2016, Chef Software, Inc | 146 | | **Copyright:** | DevSec Hardening Framework Team | 147 | | **License:** | Apache License Version 2.0 | 148 | -------------------------------------------------------------------------------- /Rakefile: -------------------------------------------------------------------------------- 1 | # frozen_string_literal: true 2 | 3 | require 'cookstyle' 4 | require 'rake/testtask' 5 | require 'rubocop/rake_task' 6 | 7 | # Rubocop 8 | desc 'Run Rubocop lint checks' 9 | task :rubocop do 10 | RuboCop::RakeTask.new 11 | end 12 | 13 | RuboCop::RakeTask.new(:cookstyle) do |task| 14 | task.options << '--display-cop-names' 15 | end 16 | 17 | # lint the project 18 | desc 'Run robocop linter' 19 | task lint: [:rubocop] 20 | 21 | # run tests 22 | task default: [:lint, 'test:check'] 23 | 24 | namespace :test do 25 | # run inspec check to verify that the profile is properly configured 26 | task :check do 27 | require 'inspec' 28 | puts "Checking profile with InSpec Version: #{Inspec::VERSION}" 29 | profile = Inspec::Profile.for_target('.', backend: Inspec::Backend.create(Inspec::Config.mock)) 30 | pp profile.check 31 | end 32 | end 33 | 34 | task :changelog do 35 | # Automatically generate a changelog for this project. Only loaded if 36 | # the necessary gem is installed. By default its picking up the version from 37 | # inspec.yml. You can override that behavior with `rake changelog to=1.2.0` 38 | 39 | require 'yaml' 40 | metadata = YAML.load_file('inspec.yml') 41 | v = ENV['to'] || metadata['version'] 42 | puts " * Generating changelog for version #{v}" 43 | require 'github_changelog_generator/task' 44 | GitHubChangelogGenerator::RakeTask.new :changelog do |config| 45 | config.future_release = v 46 | config.user = 'dev-sec' 47 | config.project = 'windows-baseline' 48 | end 49 | Rake::Task[:changelog].execute 50 | rescue LoadError 51 | puts '>>>>> GitHub Changelog Generator not loaded, omitting tasks' 52 | end 53 | -------------------------------------------------------------------------------- /controls/account_policies.rb: -------------------------------------------------------------------------------- 1 | # frozen_string_literal: true 2 | 3 | title 'account policies' 4 | 5 | control 'windows-001' do 6 | title 'Ensure \'Enforce password history\' is set to \'24 or more password(s)\'' 7 | desc 'This policy setting determines the number of renewed, unique passwords that have to be associated with a user account before you can reuse an old password. The value for this policy setting must be between 0 and 24 passwords. The default value for Windows Vista is 0 passwords, but the default setting in a domain is 24 passwords. To maintain the effectiveness of this policy setting, use the Minimum password age setting to prevent users from repeatedly changing their password. 8 | 9 | The recommended state for this setting is: 24 or more password(s).' 10 | impact 1.0 11 | tag 'windows': %w(2012R2 2016 2019) 12 | tag 'profile': ['Domain Controller', 'Member Server'] 13 | tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '1.1.1' 14 | tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '1.1.1' 15 | tag 'level': '1' 16 | tag 'bsi': ['SYS.1.2.2.M3', 'Sichere Administration'] 17 | ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' 18 | ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html' 19 | ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' 20 | describe security_policy do 21 | its('PasswordHistorySize') { should be >= input('password_history_size') } 22 | end 23 | end 24 | 25 | control 'windows-002' do 26 | title 'Ensure \'Maximum password age\' is set to \'60 or fewer days, but not 0\'' 27 | desc 'This policy setting defines how long a user can use their password before it expires. 28 | 29 | Values for this policy setting range from 0 to 999 days. If you set the value to 0, the password will never expire. 30 | 31 | Because attackers can crack passwords, the more frequently you change the password the less opportunity an attacker has to use a cracked password. However, the lower this value is set, the higher the potential for an increase in calls to help desk support due to users having to change their password or forgetting which password is current. 32 | 33 | The recommended state for this setting is 60 or fewer days, but not 0.' 34 | impact 1.0 35 | tag 'windows': %w(2012R2 2016 2019) 36 | tag 'profile': ['Domain Controller', 'Member Server'] 37 | tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '1.1.2' 38 | tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '1.1.2' 39 | tag 'level': '1' 40 | tag 'bsi': ['SYS.1.2.2.M3', 'Sichere Administration'] 41 | ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' 42 | ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html' 43 | ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' 44 | describe security_policy do 45 | its('MaximumPasswordAge') { should be <= input('maximum_password_age') } 46 | end 47 | describe security_policy do 48 | its('MaximumPasswordAge') { should be > 0 } 49 | end 50 | end 51 | 52 | control 'windows-003' do 53 | title 'Ensure \'Minimum password age\' is set to \'1 or more day(s)\'' 54 | desc 'This policy setting determines the number of days that you must use a password before you can change it. The range of values for this policy setting is between 1 and 999 days. (You may also set the value to 0 to allow immediate password changes.) The default value for this setting is 0 days. 55 | 56 | The recommended state for this setting is: 1 or more day(s).' 57 | impact 1.0 58 | tag 'windows': %w(2012R2 2016 2019) 59 | tag 'profile': ['Domain Controller', 'Member Server'] 60 | tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '1.1.3' 61 | tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '1.1.3' 62 | tag 'level': '1' 63 | tag 'bsi': ['SYS.1.2.2.M3', 'Sichere Administration'] 64 | ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' 65 | ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html' 66 | ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' 67 | describe security_policy do 68 | its('MinimumPasswordAge') { should be >= 1 } 69 | end 70 | end 71 | 72 | control 'windows-004' do 73 | title 'Ensure \'Minimum password length\' is set to \'14 or more character(s)\'' 74 | desc 'This policy setting determines the least number of characters that make up a password for a user account. There are many different theories about how to determine the best password length for an organization, but perhaps "pass phrase" is a better term than "password." In Microsoft Windows 2000 and newer, pass phrases can be quite long and can include spaces. Therefore, a phrase such as "I want to drink a $5 milkshake" is a valid pass phrase; it is a considerably stronger password than an 8 or 10 character string of random numbers and letters, and yet is easier to remember. Users must be educated about the proper selection and maintenance of passwords, especially with regard to password length. In enterprise environments, the ideal value for the Minimum password length setting is 14 characters, however you should adjust this value to meet your organization\'s business requirements. 75 | 76 | The recommended state for this setting is: 14 or more character(s). ' 77 | impact 1.0 78 | tag 'windows': %w(2012R2 2016 2019) 79 | tag 'profile': ['Domain Controller', 'Member Server'] 80 | tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '1.1.4' 81 | tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '1.1.4' 82 | tag 'level': '1' 83 | tag 'bsi': ['SYS.1.2.2.M3', 'Sichere Administration'] # FIXME: check Baustein 84 | ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' 85 | ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html' 86 | ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' 87 | describe security_policy do 88 | its('MinimumPasswordLength') { should be >= 14 } 89 | end 90 | end 91 | 92 | control 'windows-005' do 93 | title 'Ensure \'Password must meet complexity requirements\' is set to \'Enabled\'' 94 | desc 'This policy setting checks all new passwords to ensure that they meet basic requirements for strong passwords. 95 | When this policy is enabled, passwords must meet the following minimum requirements: -- Not contain the user\'s account name or parts of the user\'s full name that exceed two consecutive characters 96 | -- Be at least six characters in length 97 | -- Contain characters from three of the following four categories: 98 | ---- English uppercase characters (A through Z) 99 | ---- English lowercase characters (a through z) 100 | ---- Base 10 digits (0 through 9) 101 | ---- Non-alphabetic characters (for example, !, $, #, %) 102 | ---- A catch-all category of any Unicode character that does not fall under the previous four categories. This fifth category can be regionally specific. 103 | Each additional character in a password increases its complexity exponentially. For instance, a seven-character, all lower-case alphabetic password would have 267 (approximately 8 x 109 or 8 billion) possible combinations. At 1,000,000 attempts per second (a capability of many password-cracking utilities), it would only take 133 minutes to crack. A seven-character alphabetic password with case sensitivity has 527 combinations. A seven-character case-sensitive alphanumeric password without punctuation has 627 combinations. An eight-character password has 268 (or 2 x 1011) possible combinations. Although this might seem to be a large number, at 1,000,000 attempts per second it would take only 59 hours to try all possible passwords. Remember, these times will significantly increase for passwords that use ALT characters and other special keyboard characters such as "!" or "@". Proper use of the password settings can help make it difficult to mount a brute force attack. 104 | The recommended state for this setting is: Enabled.' 105 | impact 1.0 106 | tag 'windows': %w(2012R2 2016 2019) 107 | tag 'profile': ['Domain Controller', 'Member Server'] 108 | tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '1.1.5' 109 | tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '1.1.5' 110 | tag 'level': '1' 111 | tag 'bsi': ['SYS.1.2.2.M3', 'Sichere Administration'] 112 | ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' 113 | ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html' 114 | ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' 115 | describe security_policy do 116 | its('PasswordComplexity') { should eq 1 } 117 | end 118 | end 119 | 120 | control 'windows-006' do 121 | title 'Ensure \'Store passwords using reversible encryption\' is set to \'Disabled\'' 122 | desc 'This policy setting determines whether the operating system stores passwords in a way that uses reversible encryption, which provides support for application protocols that require knowledge of the user\'s password for authentication purposes. Passwords that are stored with reversible encryption are essentially the same as plaintext versions of the passwords. 123 | 124 | The recommended state for this setting is: Disabled.' 125 | impact 1.0 126 | tag 'windows': %w(2012R2 2016 2019) 127 | tag 'profile': ['Domain Controller', 'Member Server'] 128 | tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '1.1.6' 129 | tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '1.1.6' 130 | tag 'level': '1' 131 | tag 'bsi': ['SYS.1.2.2.M3', 'Sichere Administration'] 132 | ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' 133 | ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html' 134 | ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' 135 | describe security_policy do 136 | its('ClearTextPassword') { should eq 0 } 137 | end 138 | end 139 | 140 | control 'windows-007' do 141 | title 'Ensure \'Account lockout duration\' is set to \'15 or more minute(s)\'' 142 | desc 'This policy setting determines the length of time that must pass before a locked account is unlocked and a user can try to log on again. The setting does this by specifying the number of minutes a locked out account will remain unavailable. If the value for this policy setting is configured to 0, locked out accounts will remain locked out until an administrator manually unlocks them. 143 | 144 | Although it might seem like a good idea to configure the value for this policy setting to a high value, such a configuration will likely increase the number of calls that the help desk receives to unlock accounts locked by mistake. Users should be aware of the length of time a lock remains in place, so that they realize they only need to call the help desk if they have an extremely urgent need to regain access to their computer. 145 | 146 | The recommended state for this setting is: 15 or more minute(s).' 147 | impact 1.0 148 | tag 'windows': %w(2012R2 2016 2019) 149 | tag 'profile': ['Domain Controller', 'Member Server'] 150 | tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '1.2.1' 151 | tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '1.2.1' 152 | tag 'level': '1' 153 | tag 'bsi': ['SYS.1.2.2.M3', 'Sichere Administration'] 154 | ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' 155 | ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html' 156 | ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' 157 | describe security_policy do 158 | its('LockoutDuration') { should be >= 15 } 159 | end 160 | end 161 | 162 | control 'windows-008' do 163 | title 'Ensure \'Account lockout threshold\' is set to \'10 or fewer invalid logon attempt(s), but not 0\'' 164 | desc 'This policy setting determines the number of failed logon attempts before the account is locked. Setting this policy to 0 does not conform to the benchmark as doing so disables the account lockout threshold. 165 | 166 | The recommended state for this setting is: 10 or fewer invalid logon attempt(s), but not 0.' 167 | impact 1.0 168 | tag 'windows': %w(2012R2 2016 2019) 169 | tag 'profile': ['Domain Controller', 'Member Server'] 170 | tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '1.2.2' 171 | tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '1.2.2' 172 | tag 'level': '1' 173 | tag 'bsi': ['SYS.1.2.2.M3', 'Sichere Administration'] # FIXME: check Baustein 174 | ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' 175 | ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html' 176 | ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' 177 | describe security_policy do 178 | its('LockoutBadCount') { should be <= 10 } 179 | end 180 | describe security_policy do 181 | its('LockoutBadCount') { should be > 0 } 182 | end 183 | end 184 | 185 | control 'windows-009' do 186 | title 'Ensure \'Reset account lockout counter after\' is set to \'15 or more minute(s)\'' 187 | desc 'This policy setting determines the length of time before the Account lockout threshold resets to zero. The default value for this policy setting is Not Defined. If the Account lockout threshold is defined, this reset time must be less than or equal to the value for the Account lockout duration setting. 188 | If you leave this policy setting at its default value or configure the value to an interval that is too long, your environment could be vulnerable to a DoS attack. An attacker could maliciously perform a number of failed logon attempts on all users in the organization, which will lock out their accounts. If no policy were determined to reset the account lockout, it would be a manual task for administrators. Conversely, if a reasonable time value is configured for this policy setting, users would be locked out for a set period until all of the accounts are unlocked automatically. 189 | 190 | The recommended state for this setting is: 15 or more minute(s).' 191 | impact 1.0 192 | tag 'windows': %w(2012R2 2016 2019) 193 | tag 'profile': ['Domain Controller', 'Member Server'] 194 | tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '1.2.3' 195 | tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '1.2.3' 196 | tag 'level': '1' 197 | tag 'bsi': ['SYS.1.2.2.M3', 'Sichere Administration'] # FIXME: check Baustein 198 | ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' 199 | ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html' 200 | ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' 201 | describe security_policy do 202 | its('ResetLockoutCount') { should be >= 15 } 203 | end 204 | end 205 | -------------------------------------------------------------------------------- /controls/administrative_templates_user.rb: -------------------------------------------------------------------------------- 1 | # frozen_string_literal: true 2 | 3 | title 'Administrative Templates (User)' 4 | 5 | control 'windows-360' do 6 | title 'Ensure \'Enable screen saver\' is set to \'Enabled\'' 7 | desc 'This policy setting enables/disables the use of desktop screen savers. 8 | 9 | The recommended state for this setting is: Enabled.' 10 | impact 1.0 11 | tag 'windows': %w(2012R2 2016 2019) 12 | tag 'profile': ['Domain Controller', 'Member Server'] 13 | tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '19.1.3.1' 14 | tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '19.1.3.1' 15 | tag 'level': '1' 16 | tag 'bsi': ['SYS.1.2.2.M3', 'Sichere Administration', 'SYS.1.2.2.M4', 'Sichere Konfiguration'] 17 | ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' 18 | ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html' 19 | ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' 20 | registry_key(hive: 'HKEY_USERS').children(/^S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]{3,}$/).map { |x| "#{x}\\Software\\Policies\\Microsoft\\Windows\\Control Panel\\Desktop" }.each do |entry| 21 | describe registry_key(entry) do 22 | it { should exist } 23 | it { should have_property 'ScreenSaveActive' } 24 | its('ScreenSaveActive') { should cmp 1 } 25 | end 26 | end 27 | end 28 | 29 | control 'windows-361' do 30 | title 'Ensure \'Force specific screen saver: Screen saver executable name\' is set to \'Enabled: scrnsave.scr\'' 31 | desc 'This policy setting specifies the screen saver for the user\'s desktop. 32 | 33 | The recommended state for this setting is: Enabled: scrnsave.scr.' 34 | impact 1.0 35 | tag 'windows': %w(2012R2 2016 2019) 36 | tag 'profile': ['Domain Controller', 'Member Server'] 37 | tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '19.1.3.2' 38 | tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '19.1.3.2' 39 | tag 'level': '1' 40 | tag 'bsi': ['SYS.1.2.2.M4', 'Sichere Konfiguration'] 41 | ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' 42 | ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html' 43 | ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' 44 | registry_key(hive: 'HKEY_USERS').children(/^S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]{3,}$/).map { |x| "#{x}\\Software\\Policies\\Microsoft\\Windows\\Control Panel\\Desktop" }.each do |entry| 45 | describe registry_key(entry) do 46 | it { should exist } 47 | it { should have_property 'SCRNSAVE.EXE' } 48 | its(['SCRNSAVE.EXE']) { should eq 'scrnsave.scr' } 49 | end 50 | end 51 | end 52 | 53 | control 'windows-362' do 54 | title 'Ensure \'Password protect the screen saver\' is set to \'Enabled\'' 55 | desc 'This setting determines whether screen savers used on the computer are password protected. 56 | 57 | The recommended state for this setting is: Enabled.' 58 | impact 1.0 59 | tag 'windows': %w(2012R2 2016 2019) 60 | tag 'profile': ['Domain Controller', 'Member Server'] 61 | tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '19.1.3.3' 62 | tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '19.1.3.3' 63 | tag 'level': '1' 64 | tag 'bsi': ['SYS.1.2.2.M4', 'Sichere Konfiguration'] 65 | ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' 66 | ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html' 67 | ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' 68 | registry_key(hive: 'HKEY_USERS').children(/^S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]{3,}$/).map { |x| "#{x}\\Software\\Policies\\Microsoft\\Windows\\Control Panel\\Desktop" }.each do |entry| 69 | describe registry_key(entry) do 70 | it { should exist } 71 | it { should have_property 'ScreenSaverIsSecure' } 72 | its('ScreenSaverIsSecure') { should cmp 1 } 73 | end 74 | end 75 | end 76 | 77 | control 'windows-363' do 78 | title 'Ensure \'Screen saver timeout\' is set to \'Enabled: 900 seconds or fewer, but not 0\'' 79 | desc 'This setting specifies how much user idle time must elapse before the screen saver is launched. 80 | 81 | The recommended state for this setting is: Enabled: 900 seconds or fewer, but not 0.' 82 | impact 1.0 83 | tag 'windows': %w(2012R2 2016 2019) 84 | tag 'profile': ['Domain Controller', 'Member Server'] 85 | tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '19.1.3.4' 86 | tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '19.1.3.4' 87 | tag 'level': '1' 88 | tag 'bsi': ['SYS.1.2.2.M4', 'Sichere Konfiguration'] 89 | ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' 90 | ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html' 91 | ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' 92 | registry_key(hive: 'HKEY_USERS').children(/^S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]{3,}$/).map { |x| "#{x}\\Software\\Policies\\Microsoft\\Windows\\Control Panel\\Desktop" }.each do |entry| 93 | describe registry_key(entry) do 94 | it { should exist } 95 | it { should have_property 'ScreenSaveTimeOut' } 96 | its('ScreenSaveTimeOut') { should cmp <= 900 } 97 | its('ScreenSaveTimeOut') { should_not eq 0 } 98 | end 99 | end 100 | end 101 | 102 | control 'windows-364' do 103 | title 'Ensure \'Turn off toast notifications on the lock screen\' is set to \'Enabled\'' 104 | desc 'This policy setting turns off toast notifications on the lock screen. 105 | 106 | The recommended state for this setting is Enabled.' 107 | impact 1.0 108 | tag 'windows': %w(2012R2 2016 2019) 109 | tag 'profile': ['Domain Controller', 'Member Server'] 110 | tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '19.5.1.1' 111 | tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '19.5.1.1' 112 | tag 'level': '1' 113 | tag 'bsi': ['SYS.1.2.2.M4', 'Sichere Konfiguration'] 114 | ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' 115 | ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html' 116 | ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' 117 | registry_key(hive: 'HKEY_USERS').children(/^S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]{3,}$/).map { |x| "#{x}\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\PushNotifications" }.each do |entry| 118 | describe registry_key(entry) do 119 | it { should exist } 120 | it { should have_property 'NoToastApplicationNotificationOnLockScreen' } 121 | its('NoToastApplicationNotificationOnLockScreen') { should eq 1 } 122 | end 123 | end 124 | end 125 | 126 | control 'windows-365' do 127 | title 'Ensure \'Turn off Help Experience Improvement Program\' is set to \'Enabled\'' 128 | desc 'This policy setting specifies whether users can participate in the Help Experience Improvement program. The Help Experience Improvement program collects information about how customers use Windows Help so that Microsoft can improve it. 129 | 130 | The recommended state for this setting is: Enabled.' 131 | impact 0.5 132 | tag 'windows': %w(2012R2 2016 2019) 133 | tag 'profile': ['Domain Controller', 'Member Server'] 134 | tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '19.6.5.1.1' 135 | tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '19.6.5.1.1' 136 | tag 'level': '2' 137 | tag 'bsi': ['SYS.1.2.2.M4', 'Sichere Konfiguration'] 138 | ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' 139 | ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html' 140 | ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' 141 | only_if('This Control only executes if attribute(\'level_1_or_2\') is set to 2') do 142 | input('level_1_or_2') == 2 143 | end 144 | registry_key(hive: 'HKEY_USERS').children(/^S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]{3,}$/).map { |x| "#{x}\\Software\\Policies\\Microsoft\\Assistance\\Client\\1.0" }.each do |entry| 145 | describe registry_key(entry) do 146 | it { should exist } 147 | it { should have_property 'NoImplicitFeedback' } 148 | its('NoImplicitFeedback') { should eq 1 } 149 | end 150 | end 151 | end 152 | 153 | control 'windows-366' do 154 | title 'Ensure \'Do not preserve zone information in file attachments\' is set to \'Disabled\'' 155 | desc 'This policy setting allows you to manage whether Windows marks file attachments with information about their zone of origin (such as restricted, Internet, intranet, local). This requires NTFS in order to function correctly, and will fail without notice on FAT32. By not preserving the zone information, Windows cannot make proper risk assessments. 156 | 157 | The recommended state for this setting is: Disabled.' 158 | impact 1.0 159 | tag 'windows': %w(2012R2 2016 2019) 160 | tag 'profile': ['Domain Controller', 'Member Server'] 161 | tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '19.7.4.1' 162 | tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '19.7.4.1' 163 | tag 'level': '1' 164 | tag 'bsi': ['SYS.1.2.2.M4', 'Sichere Konfiguration'] 165 | ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' 166 | ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html' 167 | ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' 168 | registry_key(hive: 'HKEY_USERS').children(/^S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]{3,}$/).map { |x| "#{x}\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Attachments" }.each do |entry| 169 | describe registry_key(entry) do 170 | it { should exist } 171 | it { should have_property 'SaveZoneInformation' } 172 | its('SaveZoneInformation') { should eq 2 } 173 | end 174 | end 175 | end 176 | 177 | control 'windows-367' do 178 | title 'Ensure \'Notify antivirus programs when opening attachments\' is set to \'Enabled\'' 179 | desc 'This policy setting allows you to manage the behavior for notifying registered antivirus programs. If multiple programs are registered, they will all be notified. 180 | 181 | The recommended state for this setting is: Enabled.' 182 | impact 1.0 183 | tag 'windows': %w(2012R2 2016 2019) 184 | tag 'profile': ['Domain Controller', 'Member Server'] 185 | tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '19.7.4.2' 186 | tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '19.7.4.2' 187 | tag 'level': '1' 188 | tag 'bsi': ['SYS.1.2.2.M4', 'Sichere Konfiguration'] 189 | ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' 190 | ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html' 191 | ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' 192 | registry_key(hive: 'HKEY_USERS').children(/^S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]{3,}$/).map { |x| "#{x}\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Attachments" }.each do |entry| 193 | describe registry_key(entry) do 194 | it { should exist } 195 | it { should have_property 'ScanWithAntiVirus' } 196 | its('ScanWithAntiVirus') { should eq 3 } 197 | end 198 | end 199 | end 200 | 201 | control 'windows-368' do 202 | title 'Ensure \'Configure Windows spotlight on Lock Screen\' is set to Disabled\'' 203 | desc 'This policy setting lets you configure Windows Spotlight on the lock screen. 204 | 205 | The recommended state for this setting is: Disabled.' 206 | impact 0.5 207 | tag 'windows': %w(2016 2019) 208 | tag 'profile': ['Domain Controller', 'Member Server'] 209 | tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '19.7.7.1' 210 | tag 'level': '2' 211 | tag 'bsi': ['SYS.1.2.2.M4', 'Sichere Konfiguration'] 212 | ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' 213 | ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html' 214 | ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' 215 | only_if('Only for Windows Server 2016, 2019 and if attribute(\'level_1_or_2\') is set to 2') do 216 | (((os[:name].include? '2016') || (os[:name].include? '2019')) && input('level_1_or_2') == 2) 217 | end 218 | registry_key(hive: 'HKEY_USERS').children(/^S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]{3,}$/).map { |x| "#{x}\\Software\\Policies\\Microsoft\\Windows\\CloudContent" }.each do |entry| 219 | describe registry_key(entry) do 220 | it { should exist } 221 | it { should have_property 'ConfigureWindowsSpotlight' } 222 | its('ConfigureWindowsSpotlight') { should eq 2 } 223 | end 224 | end 225 | end 226 | 227 | control 'windows-369' do 228 | title 'Ensure \'Do not suggest third-party content in Windows spotlight\' is set to \'Enabled\'' 229 | desc 'This policy setting determines whether Windows will suggest apps and content from third-party software publishers. 230 | 231 | The recommended state for this setting is: Enabled.' 232 | impact 1.0 233 | tag 'windows': %w(2016 2019) 234 | tag 'profile': ['Domain Controller', 'Member Server'] 235 | tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '19.7.7.2' 236 | tag 'level': '1' 237 | tag 'bsi': ['SYS.1.2.2.M4', 'Sichere Konfiguration'] 238 | ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' 239 | ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html' 240 | ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' 241 | only_if('Only for Windows Server 2016, 2019') do 242 | ((os[:name].include? '2016') || (os[:name].include? '2019')) 243 | end 244 | registry_key(hive: 'HKEY_USERS').children(/^S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]{3,}$/).map { |x| "#{x}\\Software\\Policies\\Microsoft\\Windows\\CloudContent" }.each do |entry| 245 | describe registry_key(entry) do 246 | it { should exist } 247 | it { should have_property 'DisableThirdPartySuggestions' } 248 | its('DisableThirdPartySuggestions') { should eq 1 } 249 | end 250 | end 251 | end 252 | 253 | control 'windows-370' do 254 | title 'Ensure \'Do not use diagnostic data for tailored experiences\' is set to \'Enabled\'' 255 | desc 'This setting determines if Windows can use diagnostic data to provide tailored experiences to the user. 256 | 257 | The recommended state for this setting is: Enabled.' 258 | impact 0.5 259 | tag 'windows': %w(2016 2019) 260 | tag 'profile': ['Domain Controller', 'Member Server'] 261 | tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '19.7.7.3' 262 | tag 'level': '2' 263 | tag 'bsi': ['SYS.1.2.2.M4', 'Sichere Konfiguration'] 264 | ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' 265 | ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html' 266 | ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' 267 | only_if('Only for Windows Server 2016, 2019 and if attribute(\'level_1_or_2\') is set to 2') do 268 | (((os[:name].include? '2016') || (os[:name].include? '2019')) && input('level_1_or_2') == 2) 269 | end 270 | registry_key(hive: 'HKEY_USERS').children(/^S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]{3,}$/).map { |x| "#{x}\\Software\\Policies\\Microsoft\\Windows\\CloudContent" }.each do |entry| 271 | describe registry_key(entry) do 272 | it { should exist } 273 | it { should have_property 'DisableWindowsSpotlightFeatures' } 274 | its('DisableWindowsSpotlightFeatures') { should eq 1 } 275 | end 276 | end 277 | end 278 | 279 | control 'windows-371' do 280 | title 'Ensure \'Turn off all Windows spotlight features\' is set to \'Enabled\'' 281 | desc 'This policy setting lets you turn off all Windows Spotlight features at once. 282 | 283 | The recommended state for this setting is: Enabled.' 284 | impact 0.5 285 | tag 'windows': %w(2016 2019) 286 | tag 'profile': ['Domain Controller', 'Member Server'] 287 | tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '19.7.7.4' 288 | tag 'level': '2' 289 | tag 'bsi': ['SYS.1.2.2.M4', 'Sichere Konfiguration'] 290 | ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' 291 | ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html' 292 | ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' 293 | only_if('Only for Windows Server 2016, 2019 and if attribute(\'level_1_or_2\') is set to 2') do 294 | (((os[:name].include? '2016') || (os[:name].include? '2019')) && input('level_1_or_2') == 2) 295 | end 296 | registry_key(hive: 'HKEY_USERS').children(/^S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]{3,}$/).map { |x| "#{x}\\Software\\Policies\\Microsoft\\Windows\\CloudContent" }.each do |entry| 297 | describe registry_key(entry) do 298 | it { should exist } 299 | it { should have_property 'DisableWindowsSpotlightFeatures' } 300 | its('DisableWindowsSpotlightFeatures') { should eq 1 } 301 | end 302 | end 303 | end 304 | 305 | control 'windows-372' do 306 | title 'Ensure \'Prevent users from sharing files within their profile.\' is set to \'Enabled\'' 307 | desc 'This policy setting specifies whether users can share files within their profile. By default users are allowed to share files within their profile to other users on their network after an administrator opts in the computer. An administrator can opt in the computer by using the sharing wizard to share a file within their profile. 308 | 309 | The recommended state for this setting is: Enabled.' 310 | impact 1.0 311 | tag 'windows': %w(2012R2 2016 2019) 312 | tag 'profile': ['Domain Controller', 'Member Server'] 313 | tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '19.7.26.1' 314 | tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '19.7.26.1' 315 | tag 'level': '1' 316 | tag 'bsi': ['SYS.1.2.2.M4', 'Sichere Konfiguration'] 317 | ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' 318 | ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html' 319 | ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' 320 | registry_key(hive: 'HKEY_USERS').children(/^S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]{3,}$/).map { |x| "#{x}\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer" }.each do |entry| 321 | describe registry_key(entry) do 322 | it { should exist } 323 | it { should have_property 'NoInplaceSharing' } 324 | its('NoInplaceSharing') { should eq 1 } 325 | end 326 | end 327 | end 328 | 329 | control 'windows-373' do 330 | title 'Ensure \'Always install with elevated privileges\' is set to \'Disabled\'' 331 | desc 'This setting controls whether or not Windows Installer should use system permissions when it installs any program on the system. 332 | 333 | **Note:** This setting appears both in the Computer Configuration and User Configuration folders. To make this setting effective, you must enable the setting in both folders. 334 | 335 | **Caution:** If enabled, skilled users can take advantage of the permissions this setting grants to change their privileges and gain permanent access to restricted files and folders. Note that the User Configuration version of this setting is not guaranteed to be secure. 336 | 337 | The recommended state for this setting is: Disabled.' 338 | impact 1.0 339 | tag 'windows': %w(2012R2 2016 2019) 340 | tag 'profile': ['Domain Controller', 'Member Server'] 341 | tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '19.7.40.1' 342 | tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '19.7.40.1' 343 | tag 'level': '1' 344 | tag 'bsi': ['SYS.1.2.2.M4', 'Sichere Konfiguration'] 345 | ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' 346 | ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html' 347 | ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' 348 | registry_key(hive: 'HKEY_USERS').children(/^S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]{3,}$/).map { |x| "#{x}\\Software\\Policies\\Microsoft\\Windows\\Installer" }.each do |entry| 349 | describe registry_key(entry) do 350 | it { should exist } 351 | it { should have_property 'AlwaysInstallElevated' } 352 | its('AlwaysInstallElevated') { should eq 0 } 353 | end 354 | end 355 | end 356 | 357 | control 'windows-374' do 358 | title 'Ensure \'Prevent Codec Download\' is set to \'Enabled\'' 359 | desc 'This setting controls whether Windows Media Player is allowed to download additional codecs for decoding media files it does not already understand. 360 | 361 | The recommended state for this setting is: Enabled.' 362 | impact 0.5 363 | tag 'windows': %w(2012R2 2016 2019) 364 | tag 'profile': ['Domain Controller', 'Member Server'] 365 | tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '19.7.44.2.1' 366 | tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '19.7.44.2.1' 367 | tag 'level': '2' 368 | tag 'bsi': ['SYS.1.2.2.M4', 'Sichere Konfiguration'] 369 | ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' 370 | ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html' 371 | ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' 372 | only_if('This Control only executes if attribute(\'level_1_or_2\') is set to 2') do 373 | input('level_1_or_2') == 2 374 | end 375 | registry_key(hive: 'HKEY_USERS').children(/^S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]{3,}$/).map { |x| "#{x}\\Software\\Policies\\Microsoft\\WindowsMediaPlayer" }.each do |entry| 376 | describe registry_key(entry) do 377 | it { should exist } 378 | it { should have_property 'PreventCodecDownload' } 379 | its('PreventCodecDownload') { should eq 1 } 380 | end 381 | end 382 | end 383 | -------------------------------------------------------------------------------- /controls/advanced_audit_policy_configuration.rb: -------------------------------------------------------------------------------- 1 | # frozen_string_literal: true 2 | 3 | title 'Advanced Audit Policy Configuration' 4 | 5 | control 'windows-146' do 6 | title 'Ensure \'Audit Credential Validation\' is set to \'Success and Failure\'' 7 | desc 'This subcategory reports the results of validation tests on credentials submitted for a user account logon request. These events occur on the computer that is authoritative for the credentials. For domain accounts, the domain controller is authoritative, whereas for local accounts, the local computer is authoritative. In domain environments, most of the Account Logon events occur in the Security log of the domain controllers that are authoritative for the domain accounts. However, these events can occur on other computers in the organization when local accounts are used to log on. Events for this subcategory include: 8 | 9 | * 4774: An account was mapped for logon. 10 | * 4775: An account could not be mapped for logon. 11 | * 4776: The domain controller attempted to validate the credentials for an account. 12 | * 4777: The domain controller failed to validate the credentials for an account. 13 | The recommended state for this setting is: Success and Failure.' 14 | impact 1.0 15 | tag 'windows': %w(2012R2 2016 2019) 16 | tag 'profile': ['Domain Controller', 'Member Server'] 17 | tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '17.1.1' 18 | tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '17.1.1' 19 | tag 'level': '1' 20 | tag 'bsi': ['SYS.1.2.2.M4', 'Sichere Konfiguration'] 21 | ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' 22 | ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html' 23 | ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' 24 | describe audit_policy do 25 | its('Credential Validation') { should eq 'Success and Failure' } 26 | end 27 | end 28 | 29 | control 'windows-147' do 30 | title 'Ensure \'Audit Application Group Management\' is set to \'Success and Failure\'' 31 | desc 'This policy setting allows you to audit events generated by changes to application groups such as the following: 32 | 33 | * Application group is created, changed, or deleted. 34 | * Member is added or removed from an application group. 35 | Application groups are utilized by Windows Authorization Manager, which is a flexible framework created by Microsoft for integrating role-based access control (RBAC) into applications. More information on Windows Authorization Manager is available at [MSDN - Windows Authorization Manager](https://msdn.microsoft.com/en-us/library/bb897401.aspx). 36 | 37 | The recommended state for this setting is: Success and Failure.' 38 | impact 1.0 39 | tag 'windows': %w(2012R2 2016 2019) 40 | tag 'profile': ['Domain Controller', 'Member Server'] 41 | tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '17.2.1' 42 | tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '17.2.1' 43 | tag 'level': '1' 44 | tag 'bsi': ['SYS.1.2.2.M4', 'Sichere Konfiguration'] 45 | ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' 46 | ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html' 47 | ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' 48 | describe audit_policy do 49 | its('Application Group Management') { should eq 'Success and Failure' } 50 | end 51 | end 52 | 53 | control 'windows-148' do 54 | title 'Ensure \'Audit Computer Account Management\' is set to \'Success and Failure\'' 55 | desc 'This subcategory reports each event of computer account management, such as when a computer account is created, changed, deleted, renamed, disabled, or enabled. Events for this subcategory include: 56 | 57 | * 4741: A computer account was created. 58 | * 4742: A computer account was changed. 59 | * 4743: A computer account was deleted. 60 | The recommended state for this setting is: Success and Failure.' 61 | impact 1.0 62 | tag 'windows': %w(2012R2 2016 2019) 63 | tag 'profile': ['Domain Controller', 'Member Server'] 64 | tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '17.2.2' 65 | tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '17.2.2' 66 | tag 'level': '1' 67 | tag 'bsi': ['SYS.1.2.2.M4', 'Sichere Konfiguration'] 68 | ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' 69 | ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html' 70 | ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' 71 | describe audit_policy do 72 | its('Computer Account Management') { should eq 'Success and Failure' } 73 | end 74 | end 75 | 76 | control 'windows-149' do 77 | title 'Ensure \'Audit Distribution Group Management\' is set to \'Success and Failure\' (DC only)\'' 78 | desc 'This subcategory reports each event of distribution group management, such as when a distribution group is created, changed, or deleted or when a member is added to or removed from a distribution group. If you enable this Audit policy setting, administrators can track events to detect malicious, accidental, and authorized creation of group accounts. Events for this subcategory include: 79 | 80 | - 4744: A security-disabled local group was created. 81 | - 4745: A security-disabled local group was changed. 82 | - 4746: A member was added to a security-disabled local group. 83 | - 4747: A member was removed from a security-disabled local group. 84 | - 4748: A security-disabled local group was deleted. 85 | - 4749: A security-disabled global group was created. 86 | - 4750: A security-disabled global group was changed. 87 | - 4751: A member was added to a security-disabled global group. 88 | - 4752: A member was removed from a security-disabled global group. 89 | - 4753: A security-disabled global group was deleted. 90 | - 4759: A security-disabled universal group was created. 91 | - 4760: A security-disabled universal group was changed. 92 | - 4761: A member was added to a security-disabled universal group. 93 | - 4762: A member was removed from a security-disabled universal group. 94 | - 4763: A security-disabled universal group was deleted. 95 | 96 | The recommended state for this setting is: Success and Failure.' 97 | impact 1.0 98 | tag 'windows': %w(2012R2 2016 2019) 99 | tag 'profile': ['Domain Controller'] 100 | tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '17.2.3' 101 | tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '17.2.3' 102 | tag 'level': '1' 103 | tag 'bsi': ['SYS.1.2.2.M4', 'Sichere Konfiguration'] 104 | ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' 105 | ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html' 106 | ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' 107 | only_if('This Control only executes if attribute(\'ms_or_dc\') is set to MS') do 108 | input('ms_or_dc') == 'DC' 109 | end 110 | describe audit_policy do 111 | its('Distribution Group Management') { should eq 'Success and Failure' } 112 | end 113 | end 114 | 115 | control 'windows-150' do 116 | title 'Ensure \'Audit Other Account Management Events\' is set to \'Success and Failure\'' 117 | desc 'This subcategory reports other account management events. Events for this subcategory include: 118 | 119 | * 4782: The password hash an account was accessed. 120 | * 4793: The Password Policy Checking API was called. 121 | The recommended state for this setting is: Success and Failure.' 122 | impact 1.0 123 | tag 'windows': %w(2012R2 2016 2019) 124 | tag 'profile': ['Domain Controller', 'Member Server'] 125 | tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '17.2.4' 126 | tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '17.2.4' 127 | tag 'level': '1' 128 | tag 'bsi': ['SYS.1.2.2.M4', 'Sichere Konfiguration'] 129 | ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' 130 | ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html' 131 | ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' 132 | describe audit_policy do 133 | its('Other Account Management Events') { should eq 'Success and Failure' } 134 | end 135 | end 136 | 137 | control 'windows-151' do 138 | title 'Ensure \'Audit Security Group Management\' is set to \'Success and Failure\'' 139 | desc 'This subcategory reports each event of security group management, such as when a security group is created, changed, or deleted or when a member is added to or removed from a security group. If you enable this Audit policy setting, administrators can track events to detect malicious, accidental, and authorized creation of security group accounts. Events for this subcategory include: 140 | 141 | * 4727: A security-enabled global group was created. 142 | * 4728: A member was added to a security-enabled global group. 143 | * 4729: A member was removed from a security-enabled global group. 144 | * 4730: A security-enabled global group was deleted. 145 | * 4731: A security-enabled local group was created. 146 | * 4732: A member was added to a security-enabled local group. 147 | * 4733: A member was removed from a security-enabled local group. 148 | * 4734: A security-enabled local group was deleted. 149 | * 4735: A security-enabled local group was changed. 150 | * 4737: A security-enabled global group was changed. 151 | * 4754: A security-enabled universal group was created. 152 | * 4755: A security-enabled universal group was changed. 153 | * 4756: A member was added to a security-enabled universal group. 154 | * 4757: A member was removed from a security-enabled universal group. 155 | * 4758: A security-enabled universal group was deleted. 156 | * 4764: A group\'s type was changed. 157 | The recommended state for this setting is: Success and Failure.' 158 | impact 1.0 159 | tag 'windows': %w(2012R2 2016 2019) 160 | tag 'profile': ['Domain Controller', 'Member Server'] 161 | tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '17.2.5' 162 | tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '17.2.5' 163 | tag 'level': '1' 164 | tag 'bsi': ['SYS.1.2.2.M4', 'Sichere Konfiguration'] 165 | ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' 166 | ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html' 167 | ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' 168 | describe audit_policy do 169 | its('Security Group Management') { should eq 'Success and Failure' } 170 | end 171 | end 172 | 173 | control 'windows-152' do 174 | title 'Ensure \'Audit User Account Management\' is set to \'Success and Failure\'' 175 | desc 'This subcategory reports each event of user account management, such as when a user account is created, changed, or deleted; a user account is renamed, disabled, or enabled; or a password is set or changed. If you enable this Audit policy setting, administrators can track events to detect malicious, accidental, and authorized creation of user accounts. Events for this subcategory include: 176 | 177 | * 4720: A user account was created. 178 | * 4722: A user account was enabled. 179 | * 4723: An attempt was made to change an account\'s password. 180 | * 4724: An attempt was made to reset an account\'s password. 181 | * 4725: A user account was disabled. 182 | * 4726: A user account was deleted. 183 | * 4738: A user account was changed. 184 | * 4740: A user account was locked out. 185 | * 4765: SID History was added to an account. 186 | * 4766: An attempt to add SID History to an account failed. 187 | * 4767: A user account was unlocked. 188 | * 4780: The ACL was set on accounts which are members of administrators groups. 189 | * 4781: The name of an account was changed: 190 | * 4794: An attempt was made to set the Directory Services Restore Mode. 191 | * 5376: Credential Manager credentials were backed up. 192 | * 5377: Credential Manager credentials were restored from a backup. 193 | The recommended state for this setting is: Success and Failure.' 194 | impact 1.0 195 | tag 'windows': %w(2012R2 2016 2019) 196 | tag 'profile': ['Domain Controller', 'Member Server'] 197 | tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '17.2.6' 198 | tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '17.2.6' 199 | tag 'level': '1' 200 | tag 'bsi': ['SYS.1.2.2.M4', 'Sichere Konfiguration'] 201 | ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' 202 | ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html' 203 | ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' 204 | describe audit_policy do 205 | its('User Account Management') { should eq 'Success and Failure' } 206 | end 207 | end 208 | 209 | control 'windows-153' do 210 | title '(L1) Ensure \'Audit PNP Activity\' is set to \'Success\'' 211 | desc 'This policy setting allows you to audit when plug and play detects an external device. 212 | 213 | The recommended state for this setting is: Success. 214 | 215 | **Note:** A Windows 10, Server 2016 or higher OS is required to access and set this value in Group Policy.' 216 | impact 1.0 217 | tag 'windows': %w(2016 2019) 218 | tag 'profile': ['Domain Controller', 'Member Server'] 219 | tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '17.3.1' 220 | tag 'level': '1' 221 | tag 'bsi': ['SYS.1.2.2.M4', 'Sichere Konfiguration'] 222 | ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' 223 | ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html' 224 | ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' 225 | only_if('Only for Windows Server 2016, 2019') do 226 | ((os[:name].include? '2016') || (os[:name].include? '2019')) 227 | end 228 | describe audit_policy do 229 | its('Plug and Play Events') { should eq 'Success' } 230 | end 231 | end 232 | 233 | control 'windows-154' do 234 | title 'Ensure \'Audit Process Creation\' is set to \'Success\'' 235 | desc 'This subcategory reports the creation of a process and the name of the program or user that created it. Events for this subcategory include: 236 | 237 | * 4688: A new process has been created. 238 | * 4696: A primary token was assigned to process. 239 | Refer to Microsoft Knowledge Base article 947226: [Description of security events in Windows Vista and in Windows Server 2008](https://support.microsoft.com/en-us/kb/947226) for the most recent information about this setting. 240 | 241 | The recommended state for this setting is: Success.' 242 | impact 1.0 243 | tag 'windows': %w(2012R2 2016 2019) 244 | tag 'profile': ['Domain Controller', 'Member Server'] 245 | tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '17.3.1' 246 | tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '17.3.2' 247 | tag 'level': '1' 248 | tag 'bsi': ['SYS.1.2.2.M4', 'Sichere Konfiguration'] 249 | 250 | ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' 251 | ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html' 252 | ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' 253 | describe audit_policy do 254 | its('Process Creation') { should eq 'Success' } 255 | end 256 | end 257 | 258 | control 'windows-156' do 259 | title 'Ensure \'Audit Directory Service Access\' is set to \'Success and Failure\' (DC only)' 260 | desc 'This subcategory reports when an AD DS object is accessed. Only objects with SACLs cause audit events to be generated, and only when they are accessed in a manner that matches their SACL. These events are similar to the directory service access events in previous versions of Windows Server. This subcategory applies only to Domain Controllers. Events for this subcategory include: 261 | 262 | * 4662 : An operation was performed on an object. 263 | The recommended state for this setting is: Success and Failure.' 264 | impact 1.0 265 | tag 'windows': %w(2012R2 2016 2019) 266 | tag 'profile': ['Domain Controller'] 267 | tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '17.4.1' 268 | tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '17.4.1' 269 | tag 'level': '1' 270 | tag 'bsi': ['SYS.1.2.2.M4', 'Sichere Konfiguration'] 271 | ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' 272 | ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html' 273 | ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' 274 | only_if('This Control only executes if attribute(\'ms_or_dc\') is set to MS') do 275 | input('ms_or_dc') == 'DC' 276 | end 277 | describe audit_policy do 278 | its('Directory Service Access') { should eq 'Success and Failure' } 279 | end 280 | end 281 | 282 | control 'windows-157' do 283 | title 'Ensure \'Audit Directory Service Changes\' is set to \'Success and Failure\' (DC only)' 284 | desc 'This subcategory reports changes to objects in Active Directory Domain Services (AD DS). The types of changes that are reported are create, modify, move, and undelete operations that are performed on an object. DS Change auditing, where appropriate, indicates the old and new values of the changed properties of the objects that were changed. Only objects with SACLs cause audit events to be generated, and only when they are accessed in a manner that matches their SACL. Some objects and properties do not cause audit events to be generated due to settings on the object class in the schema. This subcategory applies only to Domain Controllers. Events for this subcategory include: 285 | 286 | * 5136 : A directory service object was modified. 287 | * 5137 : A directory service object was created. 288 | * 5138 : A directory service object was undeleted. 289 | * 5139 : A directory service object was moved. 290 | The recommended state for this setting is: Success and Failure.' 291 | impact 1.0 292 | tag 'windows': %w(2012R2 2016 2019) 293 | tag 'profile': ['Domain Controller'] 294 | tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '17.4.2' 295 | tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '17.4.2' 296 | tag 'level': '1' 297 | tag 'bsi': ['SYS.1.2.2.M4', 'Sichere Konfiguration'] 298 | ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' 299 | ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html' 300 | ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' 301 | only_if('This Control only executes if attribute(\'ms_or_dc\') is set to MS') do 302 | input('ms_or_dc') == 'DC' 303 | end 304 | describe audit_policy do 305 | its('Directory Service Changes') { should eq 'Success and Failure' } 306 | end 307 | end 308 | 309 | control 'windows-158' do 310 | title 'Ensure \'Audit Account Lockout\' is set to \'Success and Failure\'' 311 | desc 'This subcategory reports when a user\'s account is locked out as a result of too many failed logon attempts. Events for this subcategory include: 312 | 313 | * 4625: An account failed to log on. 314 | The recommended state for this setting is: Success and Failure.' 315 | impact 1.0 316 | tag 'windows': %w(2012R2 2016 2019) 317 | tag 'profile': ['Domain Controller', 'Member Server'] 318 | tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '17.5.1' 319 | tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '17.5.1' 320 | tag 'level': '1' 321 | tag 'bsi': ['SYS.1.2.2.M4', 'Sichere Konfiguration'] 322 | ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' 323 | ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html' 324 | ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' 325 | describe audit_policy do 326 | its('Account Lockout') { should eq 'Success and Failure' } 327 | end 328 | end 329 | 330 | control 'windows-159' do 331 | title 'Ensure \'Audit Group Membership\' is set to \'Success\'' 332 | desc 'This policy allows you to audit the group membership information in the user’s logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. 333 | 334 | The recommended state for this setting is: Success. 335 | 336 | **Note:** A Windows 10, Server 2016 or higher OS is required to access and set this value in Group Policy.' 337 | impact 1.0 338 | tag 'windows': %w(2016 2019) 339 | tag 'profile': ['Domain Controller', 'Member Server'] 340 | tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '17.5.2' 341 | tag 'level': '1' 342 | tag 'bsi': ['SYS.1.2.2.M4', 'Sichere Konfiguration'] 343 | ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' 344 | ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html' 345 | ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' 346 | only_if('Only for Windows Server 2016, 2019') do 347 | ((os[:name].include? '2016') || (os[:name].include? '2019')) 348 | end 349 | describe audit_policy do 350 | its('Group Membership') { should eq 'Success' } 351 | end 352 | end 353 | 354 | control 'windows-160' do 355 | title 'Ensure \'Audit Logoff\' is set to \'Success\'' 356 | desc 'This subcategory reports when a user logs off from the system. These events occur on the accessed computer. For interactive logons, the generation of these events occurs on the computer that is logged on to. If a network logon takes place to access a share, these events generate on the computer that hosts the accessed resource. If you configure this setting to No auditing, it is difficult or impossible to determine which user has accessed or attempted to access organization computers. Events for this subcategory include: 357 | 358 | * 4634: An account was logged off. 359 | * 4647: User initiated logoff. 360 | The recommended state for this setting is: Success.' 361 | impact 1.0 362 | tag 'windows': %w(2012R2 2016 2019) 363 | tag 'profile': ['Domain Controller', 'Member Server'] 364 | tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '17.5.2' 365 | tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '17.5.3' 366 | tag 'level': '1' 367 | tag 'bsi': ['SYS.1.2.2.M4', 'Sichere Konfiguration'] 368 | ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' 369 | ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html' 370 | ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' 371 | describe audit_policy do 372 | its('Logoff') { should eq 'Success' } 373 | end 374 | end 375 | 376 | control 'windows-161' do 377 | title 'Ensure \'Audit Logon\' is set to \'Success and Failure\'' 378 | desc 'This subcategory reports when a user attempts to log on to the system. These events occur on the accessed computer. For interactive logons, the generation of these events occurs on the computer that is logged on to. If a network logon takes place to access a share, these events generate on the computer that hosts the accessed resource. If you configure this setting to No auditing, it is difficult or impossible to determine which user has accessed or attempted to access organization computers. Events for this subcategory include: 379 | 380 | * 4624: An account was successfully logged on. 381 | * 4625: An account failed to log on. 382 | * 4648: A logon was attempted using explicit credentials. 383 | * 4675: SIDs were filtered. 384 | The recommended state for this setting is: Success and Failure.' 385 | impact 1.0 386 | tag 'windows': %w(2012R2 2016 2019) 387 | tag 'profile': ['Domain Controller', 'Member Server'] 388 | tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '17.5.3' 389 | tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '17.5.4' 390 | tag 'level': '1' 391 | tag 'bsi': ['SYS.1.2.2.M4', 'Sichere Konfiguration'] 392 | ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' 393 | ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html' 394 | ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' 395 | describe audit_policy do 396 | its('Logon') { should eq 'Success and Failure' } 397 | end 398 | end 399 | 400 | control 'windows-162' do 401 | title 'Ensure \'Audit Other Logon/Logoff Events\' is set to \'Success and Failure\'' 402 | desc 'This subcategory reports other logon/logoff-related events, such as Terminal Services session disconnects and reconnects, using RunAs to run processes under a different account, and locking and unlocking a workstation. Events for this subcategory include: 403 | 404 | * 4649: A replay attack was detected. 405 | * 4778: A session was reconnected to a Window Station. 406 | * 4779: A session was disconnected from a Window Station. 407 | * 4800: The workstation was locked. 408 | * 4801: The workstation was unlocked. 409 | * 4802: The screen saver was invoked. 410 | * 4803: The screen saver was dismissed. 411 | * 5378: The requested credentials delegation was disallowed by policy. 412 | * 5632: A request was made to authenticate to a wireless network. 413 | * 5633: A request was made to authenticate to a wired network. 414 | The recommended state for this setting is: Success and Failure.' 415 | impact 1.0 416 | tag 'windows': %w(2012R2 2016 2019) 417 | tag 'profile': ['Domain Controller', 'Member Server'] 418 | tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '17.5.4' 419 | tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '17.5.5' 420 | tag 'level': '1' 421 | tag 'bsi': ['SYS.1.2.2.M4', 'Sichere Konfiguration'] 422 | ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' 423 | ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html' 424 | ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' 425 | describe audit_policy do 426 | its('Other Logon/Logoff Events') { should eq 'Success and Failure' } 427 | end 428 | end 429 | 430 | control 'windows-163' do 431 | title 'Ensure \'Audit Special Logon\' is set to \'Success\'' 432 | desc 'This subcategory reports when a special logon is used. A special logon is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. Events for this subcategory include: 433 | 434 | * 4964 : Special groups have been assigned to a new logon. 435 | The recommended state for this setting is: Success.' 436 | impact 1.0 437 | tag 'windows': %w(2012R2 2016 2019) 438 | tag 'profile': ['Domain Controller', 'Member Server'] 439 | tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '17.5.5' 440 | tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '17.5.6' 441 | tag 'level': '1' 442 | tag 'bsi': ['SYS.1.2.2.M4', 'Sichere Konfiguration'] 443 | ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' 444 | ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html' 445 | ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' 446 | describe audit_policy do 447 | its('Special Logon') { should eq 'Success' } 448 | end 449 | end 450 | 451 | control 'windows-164' do 452 | title 'Ensure \'Audit Other Object Access Events\' is set to \'Success and Failure\'' 453 | desc 'This policy setting allows you to audit events generated by the management of task scheduler jobs or COM+ objects. 454 | 455 | For scheduler jobs, the following are audited: 456 | 457 | * Job created. 458 | * Job deleted. 459 | * Job enabled. 460 | * Job disabled. 461 | * Job updated. 462 | For COM+ objects, the following are audited: 463 | 464 | * Catalog object added. 465 | * Catalog object updated. 466 | * Catalog object deleted. 467 | The recommended state for this setting is: Success and Failure.' 468 | impact 1.0 469 | tag 'windows': %w(2012R2 2016 2019) 470 | tag 'profile': ['Domain Controller', 'Member Server'] 471 | tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '17.6.1' 472 | tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '17.6.1' 473 | tag 'level': '1' 474 | tag 'bsi': ['SYS.1.2.2.M4', 'Sichere Konfiguration'] 475 | ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' 476 | ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html' 477 | ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' 478 | describe audit_policy do 479 | its('Other Object Access Events') { should eq 'Success and Failure' } 480 | end 481 | end 482 | 483 | control 'windows-165' do 484 | title 'Ensure \'Audit Removable Storage\' is set to \'Success and Failure\'' 485 | desc 'This policy setting allows you to audit user attempts to access file system objects on a removable storage device. A security audit event is generated only for all objects for all types of access requested. If you configure this policy setting, an audit event is generated each time an account accesses a file system object on a removable storage. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when an account accesses a file system object on a removable storage. 486 | 487 | The recommended state for this setting is: Success and Failure. 488 | 489 | **Note:** A Windows 8, Server 2012 (non-R2) or higher OS is required to access and set this value in Group Policy.' 490 | impact 1.0 491 | tag 'windows': %w(2012R2 2016 2019) 492 | tag 'profile': ['Domain Controller', 'Member Server'] 493 | tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '17.6.2' 494 | tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '17.6.2' 495 | tag 'level': '1' 496 | tag 'bsi': ['SYS.1.2.2.M4', 'Sichere Konfiguration'] 497 | ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' 498 | ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html' 499 | ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' 500 | describe audit_policy do 501 | its('Removable Storage') { should eq 'Success and Failure' } 502 | end 503 | end 504 | 505 | control 'windows-166' do 506 | title 'Ensure \'Audit Audit Policy Change\' is set to \'Success and Failure\'' 507 | desc 'This subcategory reports changes in audit policy including SACL changes. Events for this subcategory include: 508 | 509 | * 4715: The audit policy (SACL) on an object was changed. 510 | * 4719: System audit policy was changed. 511 | * 4902: The Per-user audit policy table was created. 512 | * 4904: An attempt was made to register a security event source. 513 | * 4905: An attempt was made to unregister a security event source. 514 | * 4906: The CrashOnAuditFail value has changed. 515 | * 4907: Auditing settings on object were changed. 516 | * 4908: Special Groups Logon table modified. 517 | * 4912: Per User Audit Policy was changed. 518 | The recommended state for this setting is: Success and Failure.' 519 | impact 1.0 520 | tag 'windows': %w(2012R2 2016 2019) 521 | tag 'profile': ['Domain Controller', 'Member Server'] 522 | tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '17.7.1' 523 | tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '17.7.1' 524 | tag 'level': '1' 525 | tag 'bsi': ['SYS.1.2.2.M4', 'Sichere Konfiguration'] 526 | ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' 527 | ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html' 528 | ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' 529 | describe audit_policy do 530 | its('Audit Policy Change') { should eq 'Success and Failure' } 531 | end 532 | end 533 | 534 | control 'windows-167' do 535 | title 'Ensure \'Audit Authentication Policy Change\' is set to \'Success\'' 536 | desc 'This subcategory reports changes in authentication policy. Events for this subcategory include: 537 | 538 | * 4706: A new trust was created to a domain. 539 | * 4707: A trust to a domain was removed. 540 | * 4713: Kerberos policy was changed. 541 | * 4716: Trusted domain information was modified. 542 | * 4717: System security access was granted to an account. 543 | * 4718: System security access was removed from an account. 544 | * 4739: Domain Policy was changed. 545 | * 4864: A namespace collision was detected. 546 | * 4865: A trusted forest information entry was added. 547 | * 4866: A trusted forest information entry was removed. 548 | * 4867: A trusted forest information entry was modified. 549 | The recommended state for this setting is: Success.' 550 | impact 1.0 551 | tag 'windows': %w(2012R2 2016 2019) 552 | tag 'profile': ['Domain Controller', 'Member Server'] 553 | tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '17.7.2' 554 | tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '17.7.2' 555 | tag 'level': '1' 556 | tag 'bsi': ['SYS.1.2.2.M4', 'Sichere Konfiguration'] 557 | ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' 558 | ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html' 559 | ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' 560 | describe audit_policy do 561 | its('Authentication Policy Change') { should eq 'Success' } 562 | end 563 | end 564 | 565 | control 'windows-168' do 566 | title 'Ensure \'Audit Authorization Policy Change\' is set to \'Success\'' 567 | desc 'This subcategory reports changes in authorization policy. Events for this subcategory include: 568 | 569 | * 4704: A user right was assigned. 570 | * 4705: A user right was removed. 571 | * 4706: A new trust was created to a domain. 572 | * 4707: A trust to a domain was removed. 573 | * 4714: Encrypted data recovery policy was changed. 574 | The recommended state for this setting is: Success.' 575 | impact 1.0 576 | tag 'windows': %w(2012R2 2016 2019) 577 | tag 'profile': ['Domain Controller', 'Member Server'] 578 | tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '17.7.3' 579 | tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '17.7.3' 580 | tag 'level': '1' 581 | tag 'bsi': ['SYS.1.2.2.M4', 'Sichere Konfiguration'] 582 | ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' 583 | ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html' 584 | ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' 585 | describe audit_policy do 586 | its('Authorization Policy Change') { should eq 'Success' } 587 | end 588 | end 589 | 590 | control 'windows-169' do 591 | title 'Ensure \'Audit Sensitive Privilege Use\' is set to \'Success and Failure\'' 592 | desc 'This subcategory reports when a user account or service uses a sensitive privilege. A sensitive privilege includes the following user rights: Act as part of the operating system, Back up files and directories, Create a token object, Debug programs, Enable computer and user accounts to be trusted for delegation, Generate security audits, Impersonate a client after authentication, Load and unload device drivers, Manage auditing and security log, Modify firmware environment values, Replace a process-level token, Restore files and directories, and Take ownership of files or other objects. Auditing this subcategory will create a high volume of events. Events for this subcategory include: 593 | 594 | * 4672: Special privileges assigned to new logon. 595 | * 4673: A privileged service was called. 596 | * 4674: An operation was attempted on a privileged object. 597 | The recommended state for this setting is: Success and Failure.' 598 | impact 1.0 599 | tag 'windows': %w(2012R2 2016 2019) 600 | tag 'profile': ['Domain Controller', 'Member Server'] 601 | tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '17.8.1' 602 | tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '17.8.1' 603 | tag 'level': '1' 604 | tag 'bsi': ['SYS.1.2.2.M4', 'Sichere Konfiguration'] 605 | ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' 606 | ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html' 607 | ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' 608 | describe audit_policy do 609 | its('Sensitive Privilege Use') { should eq 'Success and Failure' } 610 | end 611 | end 612 | 613 | control 'windows-170' do 614 | title 'Ensure \'Audit IPsec Driver\' is set to \'Success and Failure\'' 615 | desc 'This subcategory reports on the activities of the Internet Protocol security (IPsec) driver. Events for this subcategory include: 616 | 617 | * 4960: IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations. 618 | * 4961: IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer. 619 | * 4962: IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay. 620 | * 4963: IPsec dropped an inbound clear text packet that should have been secured. This is usually due to the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt. 621 | * 4965: IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error may also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored. 622 | * 5478: IPsec Services has started successfully. 623 | * 5479: IPsec Services has been shut down successfully. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks. 624 | * 5480: IPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem. 625 | * 5483: IPsec Services failed to initialize RPC server. IPsec Services could not be started. 626 | * 5484: IPsec Services has experienced a critical failure and has been shut down. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks. 627 | * 5485: IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem. 628 | The recommended state for this setting is: Success and Failure.' 629 | impact 1.0 630 | tag 'windows': %w(2012R2 2016 2019) 631 | tag 'profile': ['Domain Controller', 'Member Server'] 632 | tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '17.9.1' 633 | tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '17.9.1' 634 | tag 'level': '1' 635 | tag 'bsi': ['SYS.1.2.2.M4', 'Sichere Konfiguration'] # FIXME: check Baustein 636 | ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' 637 | ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html' 638 | ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' 639 | describe audit_policy do 640 | its('IPsec Driver') { should eq 'Success and Failure' } 641 | end 642 | end 643 | 644 | control 'windows-171' do 645 | title 'Ensure \'Audit Other System Events\' is set to \'Success and Failure\'' 646 | desc 'This subcategory reports on other system events. Events for this subcategory include: 647 | 648 | * 5024 : The Windows Firewall Service has started successfully. 649 | * 5025 : The Windows Firewall Service has been stopped. 650 | * 5027 : The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy. 651 | * 5028 : The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy. 652 | * 5029: The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy. 653 | * 5030: The Windows Firewall Service failed to start. 654 | * 5032: Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network. 655 | * 5033 : The Windows Firewall Driver has started successfully. 656 | * 5034 : The Windows Firewall Driver has been stopped. 657 | * 5035 : The Windows Firewall Driver failed to start. 658 | * 5037 : The Windows Firewall Driver detected critical runtime error. Terminating. 659 | * 5058: Key file operation. 660 | * 5059: Key migration operation. 661 | The recommended state for this setting is: Success and Failure.' 662 | impact 1.0 663 | tag 'windows': %w(2012R2 2016 2019) 664 | tag 'profile': ['Domain Controller', 'Member Server'] 665 | tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '17.9.2' 666 | tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '17.9.2' 667 | tag 'level': '1' 668 | tag 'bsi': ['SYS.1.2.2.M4', 'Sichere Konfiguration'] 669 | ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' 670 | ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html' 671 | ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' 672 | describe audit_policy do 673 | its('Other System Events') { should eq 'Success and Failure' } 674 | end 675 | end 676 | 677 | control 'windows-172' do 678 | title 'Ensure \'Audit Security State Change\' is set to \'Success\'' 679 | desc 'This subcategory reports changes in security state of the system, such as when the security subsystem starts and stops. Events for this subcategory include: 680 | 681 | * 4608: Windows is starting up. 682 | * 4609: Windows is shutting down. 683 | * 4616: The system time was changed. 684 | * 4621: Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded. 685 | The recommended state for this setting is: Success.' 686 | impact 1.0 687 | tag 'windows': %w(2012R2 2016 2019) 688 | tag 'profile': ['Domain Controller', 'Member Server'] 689 | tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '17.9.3' 690 | tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '17.9.3' 691 | tag 'level': '1' 692 | tag 'bsi': ['SYS.1.2.2.M4', 'Sichere Konfiguration'] 693 | ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' 694 | ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html' 695 | ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' 696 | describe audit_policy do 697 | its('Security State Change') { should eq 'Success' } 698 | end 699 | end 700 | 701 | control 'windows-173' do 702 | title 'Ensure \'Audit Security System Extension\' is set to \'Success and Failure\'' 703 | desc 'This subcategory reports the loading of extension code such as authentication packages by the security subsystem. Events for this subcategory include: 704 | 705 | * 4610: An authentication package has been loaded by the Local Security Authority. 706 | * 4611: A trusted logon process has been registered with the Local Security Authority. 707 | * 4614: A notification package has been loaded by the Security Account Manager. 708 | * 4622: A security package has been loaded by the Local Security Authority. 709 | * 4697: A service was installed in the system. 710 | The recommended state for this setting is: Success and Failure.' 711 | impact 1.0 712 | tag 'windows': %w(2012R2 2016 2019) 713 | tag 'profile': ['Domain Controller', 'Member Server'] 714 | tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '17.9.4' 715 | tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '17.9.4' 716 | tag 'level': '1' 717 | tag 'bsi': ['SYS.1.2.2.M4', 'Sichere Konfiguration'] 718 | ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' 719 | ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html' 720 | ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' 721 | describe audit_policy do 722 | its('Security System Extension') { should eq 'Success and Failure' } 723 | end 724 | end 725 | 726 | control 'windows-174' do 727 | title 'Ensure \'Audit System Integrity\' is set to \'Success and Failure\'' 728 | desc 'This subcategory reports on violations of integrity of the security subsystem. Events for this subcategory include: 729 | 730 | * 4612 : Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. 731 | * 4615 : Invalid use of LPC port. 732 | * 4618 : A monitored security event pattern has occurred. 733 | * 4816 : RPC detected an integrity violation while decrypting an incoming message. 734 | * 5038 : Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error. 735 | * 5056: A cryptographic self test was performed. 736 | * 5057: A cryptographic primitive operation failed. 737 | * 5060: Verification operation failed. 738 | * 5061: Cryptographic operation. 739 | * 5062: A kernel-mode cryptographic self test was performed. 740 | The recommended state for this setting is: Success and Failure.' 741 | impact 1.0 742 | tag 'windows': %w(2012R2 2016 2019) 743 | tag 'profile': ['Domain Controller', 'Member Server'] 744 | tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '17.9.5' 745 | tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '17.9.5' 746 | tag 'level': '1' 747 | tag 'bsi': ['SYS.1.2.2.M4', 'Sichere Konfiguration'] 748 | ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' 749 | ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html' 750 | ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' 751 | describe audit_policy do 752 | its('System Integrity') { should eq 'Success and Failure' } 753 | end 754 | end 755 | -------------------------------------------------------------------------------- /controls/windows_firewall_with_advanced_security.rb: -------------------------------------------------------------------------------- 1 | # frozen_string_literal: true 2 | 3 | title 'windows firewall with advanced policy' 4 | 5 | control 'windows-120' do 6 | title 'Ensure \'Windows Firewall: Domain: Firewall state\' is set to \'On (recommended)\'' 7 | desc 'Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. 8 | 9 | The recommended state for this setting is: On (recommended).' 10 | impact 1.0 11 | tag 'windows': %w(2012R2 2016 2019) 12 | tag 'profile': ['Domain Controller', 'Member Server'] 13 | tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '9.1.1' 14 | tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '9.1.1' 15 | tag 'level': '1' 16 | tag 'bsi': ['SYS.1.2.2.M3', 'Sichere Administration', 'SYS.1.2.2.M9', 'Lokale Kommunikationsfilterung (CI)'] 17 | ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' 18 | ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html' 19 | ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' 20 | describe registry_key('HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\WindowsFirewall\\DomainProfile') do 21 | it { should exist } 22 | it { should have_property 'EnableFirewall' } 23 | its('EnableFirewall') { should eq 1 } 24 | end 25 | end 26 | 27 | control 'windows-121' do 28 | title 'Ensure \'Windows Firewall: Domain: Inbound connections\' is set to \'Block (default)\'' 29 | desc 'This setting determines the behavior for inbound connections that do not match an inbound firewall rule. 30 | 31 | The recommended state for this setting is: Block (default).' 32 | impact 1.0 33 | tag 'windows': %w(2012R2 2016 2019) 34 | tag 'profile': ['Domain Controller', 'Member Server'] 35 | tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '9.1.2' 36 | tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '9.1.2' 37 | tag 'level': '1' 38 | tag 'bsi': ['SYS.1.2.2.M3', 'Sichere Administration', 'SYS.1.2.2.M9', 'Lokale Kommunikationsfilterung (CI)'] 39 | ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' 40 | ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html' 41 | ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' 42 | describe registry_key('HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\WindowsFirewall\\DomainProfile') do 43 | it { should exist } 44 | it { should have_property 'DefaultInboundAction' } 45 | its('DefaultInboundAction') { should eq 1 } 46 | end 47 | end 48 | 49 | control 'windows-122' do 50 | title 'Ensure \'Windows Firewall: Domain: Outbound connections\' is set to \'Allow (default)\'' 51 | desc 'This setting determines the behavior for outbound connections that do not match an outbound firewall rule. 52 | 53 | The recommended state for this setting is: Allow (default).' 54 | impact 1.0 55 | tag 'windows': %w(2012R2 2016 2019) 56 | tag 'profile': ['Domain Controller', 'Member Server'] 57 | tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '9.1.3' 58 | tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '9.1.3' 59 | tag 'level': '1' 60 | tag 'bsi': ['SYS.1.2.2.M3', 'Sichere Administration', 'SYS.1.2.2.M9', 'Lokale Kommunikationsfilterung (CI)'] 61 | ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' 62 | ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html' 63 | ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' 64 | describe registry_key('HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\WindowsFirewall\\DomainProfile') do 65 | it { should exist } 66 | it { should have_property 'DefaultOutboundAction' } 67 | its('DefaultOutboundAction') { should eq 0 } 68 | end 69 | end 70 | 71 | control 'windows-123' do 72 | title 'Ensure \'Windows Firewall: Domain: Settings: Display a notification\' is set to \'No\'' 73 | desc 'Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. 74 | 75 | The recommended state for this setting is: No.' 76 | impact 1.0 77 | tag 'windows': %w(2012R2 2016 2019) 78 | tag 'profile': ['Domain Controller', 'Member Server'] 79 | tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '9.1.4' 80 | tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '9.1.4' 81 | tag 'level': '1' 82 | tag 'bsi': ['SYS.1.2.2.M3', 'Sichere Administration', 'SYS.1.2.2.M9', 'Lokale Kommunikationsfilterung (CI)'] 83 | ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' 84 | ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html' 85 | ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' 86 | describe registry_key('HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\WindowsFirewall\\DomainProfile') do 87 | it { should exist } 88 | it { should have_property 'DisableNotifications' } 89 | its('DisableNotifications') { should eq 1 } 90 | end 91 | end 92 | 93 | control 'windows-124' do 94 | title 'Ensure \'Windows Firewall: Domain: Logging: Name\' is set to \'%SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log\'' 95 | desc ' Use this option to specify the path and name of the file in which Windows Firewall will write its log information. 96 | 97 | The recommended state for this setting is: %SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log.' 98 | impact 1.0 99 | tag 'windows': %w(2012R2 2016 2019) 100 | tag 'profile': ['Domain Controller', 'Member Server'] 101 | tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '9.1.5' 102 | tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '9.1.5' 103 | tag 'level': '1' 104 | tag 'bsi': ['SYS.1.2.2.M4', 'Sichere Konfiguration', 'SYS.1.2.2.M9', 'Lokale Kommunikationsfilterung (CI)'] 105 | ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' 106 | ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html' 107 | ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' 108 | describe registry_key('HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\WindowsFirewall\\DomainProfile\\Logging') do 109 | it { should exist } 110 | it { should have_property 'LogFilePath' } 111 | its('LogFilePath') { should eq '%SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log' } 112 | end 113 | end 114 | 115 | control 'windows-125' do 116 | title 'Ensure \'Windows Firewall: Domain: Logging: Size limit (KB)\' is set to \'16,384 KB or greater\'' 117 | desc 'Use this option to specify the size limit of the file in which Windows Firewall will write its log information. 118 | 119 | The recommended state for this setting is: 16,384 KB or greater.' 120 | impact 1.0 121 | tag 'windows': %w(2012R2 2016 2019) 122 | tag 'profile': ['Domain Controller', 'Member Server'] 123 | tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '9.1.6' 124 | tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '9.1.6' 125 | tag 'level': '1' 126 | tag 'bsi': ['SYS.1.2.2.M4', 'Sichere Konfiguration', 'SYS.1.2.2.M9', 'Lokale Kommunikationsfilterung (CI)'] 127 | ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' 128 | ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html' 129 | ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' 130 | describe registry_key('HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\WindowsFirewall\\DomainProfile\\Logging') do 131 | it { should exist } 132 | it { should have_property 'LogFileSize' } 133 | its('LogFileSize') { should be >= 16384 } 134 | end 135 | end 136 | 137 | control 'windows-126' do 138 | title 'Ensure \'Windows Firewall: Domain: Logging: Log dropped packets\' is set to \'Yes\'' 139 | desc 'Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. 140 | 141 | The recommended state for this setting is: Yes.' 142 | impact 1.0 143 | tag 'windows': %w(2012R2 2016 2019) 144 | tag 'profile': ['Domain Controller', 'Member Server'] 145 | tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '9.1.7' 146 | tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '9.1.7' 147 | tag 'level': '1' 148 | tag 'bsi': ['SYS.1.2.2.M4', 'Sichere Konfiguration', 'SYS.1.2.2.M9', 'Lokale Kommunikationsfilterung (CI)'] 149 | ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' 150 | ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html' 151 | ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' 152 | describe registry_key('HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\WindowsFirewall\\DomainProfile\\Logging') do 153 | it { should exist } 154 | it { should have_property 'LogDroppedPackets' } 155 | its('LogDroppedPackets') { should eq 1 } 156 | end 157 | end 158 | 159 | control 'windows-127' do 160 | title 'Ensure \'Windows Firewall: Domain: Logging: Log successful connections\' is set to \'Yes\'' 161 | desc 'Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. 162 | 163 | The recommended state for this setting is: Yes.' 164 | impact 1.0 165 | tag 'windows': %w(2012R2 2016 2019) 166 | tag 'profile': ['Domain Controller', 'Member Server'] 167 | tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '9.1.8' 168 | tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '9.1.8' 169 | tag 'level': '1' 170 | tag 'bsi': ['SYS.1.2.2.M4', 'Sichere Konfiguration', 'SYS.1.2.2.M9', 'Lokale Kommunikationsfilterung (CI)'] 171 | ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' 172 | ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html' 173 | ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' 174 | describe registry_key('HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\WindowsFirewall\\DomainProfile\\Logging') do 175 | it { should exist } 176 | it { should have_property 'LogSuccessfulConnections' } 177 | its('LogSuccessfulConnections') { should eq 1 } 178 | end 179 | end 180 | 181 | control 'windows-128' do 182 | title 'Ensure \'Windows Firewall: Private: Firewall state\' is set to \'On (recommended)\'' 183 | desc 'Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. 184 | 185 | The recommended state for this setting is: On (recommended).' 186 | impact 1.0 187 | tag 'windows': %w(2012R2 2016 2019) 188 | tag 'profile': ['Domain Controller', 'Member Server'] 189 | tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '9.2.1' 190 | tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '9.2.1' 191 | tag 'level': '1' 192 | tag 'bsi': ['SYS.1.2.2.M4', 'Sichere Konfiguration', 'SYS.1.2.2.M9', 'Lokale Kommunikationsfilterung (CI)'] 193 | ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' 194 | ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html' 195 | ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' 196 | describe registry_key('HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\WindowsFirewall\\PrivateProfile') do 197 | it { should exist } 198 | it { should have_property 'EnableFirewall' } 199 | its('EnableFirewall') { should eq 1 } 200 | end 201 | end 202 | 203 | control 'windows-129' do 204 | title 'Ensure \'Windows Firewall: Private: Inbound connections\' is set to \'Block (default)\'' 205 | desc 'This setting determines the behavior for inbound connections that do not match an inbound firewall rule. 206 | 207 | The recommended state for this setting is: Block (default).' 208 | impact 1.0 209 | tag 'windows': %w(2012R2 2016 2019) 210 | tag 'profile': ['Domain Controller', 'Member Server'] 211 | tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '9.2.2' 212 | tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '9.2.2' 213 | tag 'level': '1' 214 | tag 'bsi': ['SYS.1.2.2.M4', 'Sichere Konfiguration', 'SYS.1.2.2.M9', 'Lokale Kommunikationsfilterung (CI)'] 215 | ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' 216 | ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html' 217 | ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' 218 | describe registry_key('HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\WindowsFirewall\\PrivateProfile') do 219 | it { should exist } 220 | it { should have_property 'DefaultInboundAction' } 221 | its('DefaultInboundAction') { should eq 1 } 222 | end 223 | end 224 | 225 | control 'windows-130' do 226 | title 'Ensure \'Windows Firewall: Private: Outbound connections\' is set to \'Allow (default)\'' 227 | desc 'This setting determines the behavior for outbound connections that do not match an outbound firewall rule. 228 | 229 | The recommended state for this setting is: Allow (default).' 230 | impact 1.0 231 | tag 'windows': %w(2012R2 2016 2019) 232 | tag 'profile': ['Domain Controller', 'Member Server'] 233 | tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '9.2.3' 234 | tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '9.2.3' 235 | tag 'level': '1' 236 | tag 'bsi': ['SYS.1.2.2.M4', 'Sichere Konfiguration', 'SYS.1.2.2.M9', 'Lokale Kommunikationsfilterung (CI)'] 237 | ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' 238 | ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html' 239 | ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' 240 | describe registry_key('HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\WindowsFirewall\\PrivateProfile') do 241 | it { should exist } 242 | it { should have_property 'DefaultOutboundAction' } 243 | its('DefaultOutboundAction') { should eq 0 } 244 | end 245 | end 246 | 247 | control 'windows-131' do 248 | title 'Ensure \'Windows Firewall: Private: Settings: Display a notification\' is set to \'No\'' 249 | desc 'Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. 250 | 251 | The recommended state for this setting is: No.' 252 | impact 1.0 253 | tag 'windows': %w(2012R2 2016 2019) 254 | tag 'profile': ['Domain Controller', 'Member Server'] 255 | tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '9.2.4' 256 | tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '9.2.4' 257 | tag 'level': '1' 258 | tag 'bsi': ['SYS.1.2.2.M4', 'Sichere Konfiguration', 'SYS.1.2.2.M9', 'Lokale Kommunikationsfilterung (CI)'] 259 | ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' 260 | ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html' 261 | ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' 262 | describe registry_key('HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\WindowsFirewall\\PrivateProfile') do 263 | it { should exist } 264 | it { should have_property 'DisableNotifications' } 265 | its('DisableNotifications') { should eq 1 } 266 | end 267 | end 268 | 269 | control 'windows-132' do 270 | title 'Ensure \'Windows Firewall: Private: Logging: Name\' is set to \'%SYSTEMROOT%\System32\logfiles\firewall\privatefw.log\'' 271 | desc 'This setting controls whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy. 272 | 273 | The recommended state for this setting is: Yes (default).' 274 | impact 1.0 275 | tag 'windows': %w(2012R2 2016 2019) 276 | tag 'profile': ['Domain Controller', 'Member Server'] 277 | tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '9.2.5' 278 | tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '9.2.5' 279 | tag 'level': '1' 280 | tag 'bsi': ['SYS.1.2.2.M4', 'Sichere Konfiguration', 'SYS.1.2.2.M9', 'Lokale Kommunikationsfilterung (CI)'] 281 | ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' 282 | ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html' 283 | ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' 284 | describe registry_key('HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\WindowsFirewall\\PrivateProfile\\Logging') do 285 | it { should exist } 286 | it { should have_property 'LogFilePath' } 287 | its('LogFilePath') { should eq '%SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log' } 288 | end 289 | end 290 | 291 | control 'windows-133' do 292 | title 'Ensure \'Windows Firewall: Private: Logging: Size limit (KB)\' is set to \'16,384 KB or greater\'' 293 | desc 'Use this option to specify the size limit of the file in which Windows Firewall will write its log information. 294 | 295 | The recommended state for this setting is: 16,384 KB or greater.' 296 | impact 1.0 297 | tag 'windows': %w(2012R2 2016 2019) 298 | tag 'profile': ['Domain Controller', 'Member Server'] 299 | tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '9.2.6' 300 | tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '9.2.6' 301 | tag 'level': '1' 302 | tag 'bsi': ['SYS.1.2.2.M4', 'Sichere Konfiguration', 'SYS.1.2.2.M9', 'Lokale Kommunikationsfilterung (CI)'] 303 | ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' 304 | ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html' 305 | ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' 306 | describe registry_key('HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\WindowsFirewall\\PrivateProfile\\Logging') do 307 | it { should exist } 308 | it { should have_property 'LogFileSize' } 309 | its('LogFileSize') { should be >= 16384 } 310 | end 311 | end 312 | 313 | control 'windows-134' do 314 | title 'Ensure \'Windows Firewall: Private: Logging: Log dropped packets\' is set to \'Yes\'' 315 | desc 'Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. 316 | 317 | The recommended state for this setting is: Yes.' 318 | impact 1.0 319 | tag 'windows': %w(2012R2 2016 2019) 320 | tag 'profile': ['Domain Controller', 'Member Server'] 321 | tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '9.2.7' 322 | tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '9.2.7' 323 | tag 'level': '1' 324 | tag 'bsi': ['SYS.1.2.2.M4', 'Sichere Konfiguration', 'SYS.1.2.2.M9', 'Lokale Kommunikationsfilterung (CI)'] 325 | ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' 326 | ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html' 327 | ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' 328 | describe registry_key('HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\WindowsFirewall\\PrivateProfile\\Logging') do 329 | it { should exist } 330 | it { should have_property 'LogDroppedPackets' } 331 | its('LogDroppedPackets') { should eq 1 } 332 | end 333 | end 334 | 335 | control 'windows-135' do 336 | title 'Ensure \'Windows Firewall: Private: Logging: Log successful connections\' is set to \'Yes\'' 337 | desc 'Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. 338 | 339 | The recommended state for this setting is: Yes.' 340 | impact 1.0 341 | tag 'windows': %w(2012R2 2016 2019) 342 | tag 'profile': ['Domain Controller', 'Member Server'] 343 | tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '9.2.8' 344 | tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '9.2.8' 345 | tag 'level': '1' 346 | tag 'bsi': ['SYS.1.2.2.M4', 'Sichere Konfiguration', 'SYS.1.2.2.M9', 'Lokale Kommunikationsfilterung (CI)'] 347 | ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' 348 | ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html' 349 | ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' 350 | describe registry_key('HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\WindowsFirewall\\PrivateProfile\\Logging') do 351 | it { should exist } 352 | it { should have_property 'LogSuccessfulConnections' } 353 | its('LogSuccessfulConnections') { should eq 1 } 354 | end 355 | end 356 | 357 | control 'windows-136' do 358 | title 'Ensure \'Windows Firewall: Public: Firewall state\' is set to \'On (recommended)\'' 359 | desc 'Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. 360 | 361 | The recommended state for this setting is: On (recommended).' 362 | impact 1.0 363 | tag 'windows': %w(2012R2 2016 2019) 364 | tag 'profile': ['Domain Controller', 'Member Server'] 365 | tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '9.3.1' 366 | tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '9.3.1' 367 | tag 'level': '1' 368 | tag 'bsi': ['SYS.1.2.2.M4', 'Sichere Konfiguration', 'SYS.1.2.2.M9', 'Lokale Kommunikationsfilterung (CI)'] 369 | ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' 370 | ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html' 371 | ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' 372 | describe registry_key('HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\WindowsFirewall\\PublicProfile') do 373 | it { should exist } 374 | it { should have_property 'EnableFirewall' } 375 | its('EnableFirewall') { should eq 1 } 376 | end 377 | end 378 | 379 | control 'windows-137' do 380 | title 'Ensure \'Windows Firewall: Public: Inbound connections\' is set to \'Block (default)\'' 381 | desc 'This setting determines the behavior for inbound connections that do not match an inbound firewall rule. 382 | 383 | The recommended state for this setting is: Block (default).' 384 | impact 1.0 385 | tag 'windows': %w(2012R2 2016 2019) 386 | tag 'profile': ['Domain Controller', 'Member Server'] 387 | tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '9.3.2' 388 | tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '9.3.2' 389 | tag 'level': '1' 390 | tag 'bsi': ['SYS.1.2.2.M4', 'Sichere Konfiguration', 'SYS.1.2.2.M9', 'Lokale Kommunikationsfilterung (CI)'] 391 | ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' 392 | ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html' 393 | ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' 394 | describe registry_key('HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\WindowsFirewall\\PublicProfile') do 395 | it { should exist } 396 | it { should have_property 'DefaultInboundAction' } 397 | its('DefaultInboundAction') { should eq 1 } 398 | end 399 | end 400 | 401 | control 'windows-138' do 402 | title 'Ensure \'Windows Firewall: Public: Outbound connections\' is set to \'Allow (default)\'' 403 | desc 'This setting determines the behavior for outbound connections that do not match an outbound firewall rule. 404 | 405 | The recommended state for this setting is: Allow (default). 406 | 407 | **Note:** If you set Outbound connections to Block and then deploy the firewall policy by using a GPO, computers that receive the GPO settings cannot receive subsequent Group Policy updates unless you create and deploy an outbound rule that enables Group Policy to work. Predefined rules for Core Networking include outbound rules that enable Group Policy to work. Ensure that these outbound rules are active, and thoroughly test firewall profiles before deploying.' 408 | impact 1.0 409 | tag 'windows': %w(2012R2 2016 2019) 410 | tag 'profile': ['Domain Controller', 'Member Server'] 411 | tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '9.3.3' 412 | tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '9.3.3' 413 | tag 'level': '1' 414 | tag 'bsi': ['SYS.1.2.2.M4', 'Sichere Konfiguration', 'SYS.1.2.2.M9', 'Lokale Kommunikationsfilterung (CI)'] 415 | ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' 416 | ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html' 417 | ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' 418 | describe registry_key('HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\WindowsFirewall\\PublicProfile') do 419 | it { should exist } 420 | it { should have_property 'DefaultOutboundAction' } 421 | its('DefaultOutboundAction') { should eq 0 } 422 | end 423 | end 424 | 425 | control 'windows-139' do 426 | title 'Ensure \'Windows Firewall: Public: Settings: Display a notification\' is set to \'Yes\'' 427 | desc 'Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. 428 | 429 | The recommended state for this setting is: Yes. 430 | 431 | **Note:** When the Apply local firewall rules setting is configured to Yes, it is also recommended to also configure the Display a notification setting to Yes. Otherwise, users will not receive messages that ask if they want to unblock a restricted inbound connection.' 432 | impact 1.0 433 | tag 'windows': %w(2012R2 2016 2019) 434 | tag 'profile': ['Domain Controller', 'Member Server'] 435 | tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '9.3.4' 436 | tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '9.3.4' 437 | tag 'level': '1' 438 | tag 'bsi': ['SYS.1.2.2.M4', 'Sichere Konfiguration', 'SYS.1.2.2.M9', 'Lokale Kommunikationsfilterung (CI)'] 439 | ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' 440 | ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html' 441 | ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' 442 | describe registry_key('HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\WindowsFirewall\\PublicProfile') do 443 | it { should exist } 444 | it { should have_property 'DisableNotifications' } 445 | its('DisableNotifications') { should eq 1 } 446 | end 447 | end 448 | 449 | control 'windows-140' do 450 | title 'Ensure \'Windows Firewall: Public: Settings: Apply local firewall rules\' is set to \'No\'' 451 | desc 'This setting controls whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy. 452 | 453 | The recommended state for this setting is: No.' 454 | impact 1.0 455 | tag 'windows': %w(2012R2 2016 2019) 456 | tag 'profile': ['Domain Controller', 'Member Server'] 457 | tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '9.3.5' 458 | tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '9.3.5' 459 | tag 'level': '1' 460 | tag 'bsi': ['SYS.1.2.2.M4', 'Sichere Konfiguration', 'SYS.1.2.2.M9', 'Lokale Kommunikationsfilterung (CI)'] 461 | ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' 462 | ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html' 463 | ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' 464 | describe registry_key('HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\WindowsFirewall\\PublicProfile') do 465 | it { should exist } 466 | it { should have_property 'AllowLocalPolicyMerge' } 467 | its('AllowLocalPolicyMerge') { should eq 0 } 468 | end 469 | end 470 | 471 | control 'windows-141' do 472 | title 'Ensure \'Windows Firewall: Public: Settings: Apply local connection security rules\' is set to \'No\'' 473 | desc 'This setting controls whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy. 474 | 475 | The recommended state for this setting is: No.' 476 | impact 1.0 477 | tag 'windows': %w(2012R2 2016 2019) 478 | tag 'profile': ['Domain Controller', 'Member Server'] 479 | tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '9.3.6' 480 | tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '9.3.6' 481 | tag 'level': '1' 482 | tag 'bsi': ['SYS.1.2.2.M4', 'Sichere Konfiguration', 'SYS.1.2.2.M9', 'Lokale Kommunikationsfilterung (CI)'] 483 | ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' 484 | ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html' 485 | ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' 486 | describe registry_key('HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\WindowsFirewall\\PublicProfile') do 487 | it { should exist } 488 | it { should have_property 'AllowLocalIPsecPolicyMerge' } 489 | its('AllowLocalIPsecPolicyMerge') { should eq 0 } 490 | end 491 | end 492 | 493 | control 'windows-142' do 494 | title 'Ensure \'Windows Firewall: Public: Logging: Name\' is set to \'%SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log\'' 495 | desc 'Use this option to specify the path and name of the file in which Windows Firewall will write its log information. 496 | 497 | The recommended state for this setting is: %SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log.' 498 | impact 1.0 499 | tag 'windows': %w(2012R2 2016 2019) 500 | tag 'profile': ['Domain Controller', 'Member Server'] 501 | tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '9.3.7' 502 | tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '9.3.7' 503 | tag 'level': '1' 504 | tag 'bsi': ['SYS.1.2.2.M4', 'Sichere Konfiguration', 'SYS.1.2.2.M9', 'Lokale Kommunikationsfilterung (CI)'] 505 | ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' 506 | ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html' 507 | ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' 508 | describe registry_key('HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\WindowsFirewall\\PublicProfile\\Logging') do 509 | it { should exist } 510 | it { should have_property 'LogFilePath' } 511 | its('LogFilePath') { should eq '%SYSTEMROOT%\\system32\\logfiles\\firewall\\publicfw.log' } 512 | end 513 | end 514 | 515 | control 'windows-143' do 516 | title 'Ensure \'Windows Firewall: Public: Logging: Size limit (KB)\' is set to \'16,384 KB or greater\'' 517 | desc 'Use this option to specify the size limit of the file in which Windows Firewall will write its log information. 518 | 519 | The recommended state for this setting is: 16,384 KB or greater.' 520 | impact 1.0 521 | tag 'windows': %w(2012R2 2016 2019) 522 | tag 'profile': ['Domain Controller', 'Member Server'] 523 | tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '9.3.8' 524 | tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '9.3.8' 525 | tag 'level': '1' 526 | tag 'bsi': ['SYS.1.2.2.M4', 'Sichere Konfiguration', 'SYS.1.2.2.M9', 'Lokale Kommunikationsfilterung (CI)'] 527 | ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' 528 | ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html' 529 | ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' 530 | describe registry_key('HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\WindowsFirewall\\PublicProfile\\Logging') do 531 | it { should exist } 532 | it { should have_property 'LogFileSize' } 533 | its('LogFileSize') { should be >= 16384 } 534 | end 535 | end 536 | 537 | control 'windows-144' do 538 | title 'Ensure \'Windows Firewall: Public: Logging: Log dropped packets\' is set to \'Yes\'' 539 | desc 'Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. 540 | 541 | The recommended state for this setting is: Yes.' 542 | impact 1.0 543 | tag 'windows': %w(2012R2 2016 2019) 544 | tag 'profile': ['Domain Controller', 'Member Server'] 545 | tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '9.3.9' 546 | tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '9.3.9' 547 | tag 'level': '1' 548 | tag 'bsi': ['SYS.1.2.2.M4', 'Sichere Konfiguration', 'SYS.1.2.2.M9', 'Lokale Kommunikationsfilterung (CI)'] 549 | ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' 550 | ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html' 551 | ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' 552 | describe registry_key('HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\WindowsFirewall\\PublicProfile\\Logging') do 553 | it { should exist } 554 | it { should have_property 'LogDroppedPackets' } 555 | its('LogDroppedPackets') { should eq 1 } 556 | end 557 | end 558 | 559 | control 'windows-145' do 560 | title 'Ensure \'Windows Firewall: Public: Logging: Log successful connections\' is set to \'Yes\'' 561 | desc 'Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. 562 | 563 | The recommended state for this setting is: Yes.' 564 | impact 1.0 565 | tag 'windows': %w(2012R2 2016 2019) 566 | tag 'profile': ['Domain Controller', 'Member Server'] 567 | tag 'CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0 - 03-30-2018': '9.3.10' 568 | tag 'CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.1.0 - 10-31-2018': '9.3.10' 569 | tag 'level': '1' 570 | tag 'bsi': ['SYS.1.2.2.M4', 'Sichere Konfiguration', 'SYS.1.2.2.M9', 'Lokale Kommunikationsfilterung (CI)'] 571 | ref 'IT-Grundschutz-Kompendium', url: 'https://www.bsi.bund.de/DE/Themen/ITGrundschutz/ITGrundschutzKompendium/itgrundschutzKompendium_node.html' 572 | ref 'Umsetzungshinweise zum Baustein SYS.1.2.2: Windows Server 2012', url: 'https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-Grundschutz-Modernisierung/UH_Windows_Server_2012.html' 573 | ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' 574 | describe registry_key('HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\WindowsFirewall\\PublicProfile\\Logging') do 575 | it { should exist } 576 | it { should have_property 'LogSuccessfulConnections' } 577 | its('LogSuccessfulConnections') { should eq 1 } 578 | end 579 | end 580 | -------------------------------------------------------------------------------- /inspec.yml: -------------------------------------------------------------------------------- 1 | --- 2 | name: windows-baseline 3 | title: DevSec Windows Security Baseline 4 | summary: An InSpec Compliance Profile that covers CIS Microsoft Windows Server 2012R2, 2016 RTM (Release 1607) Benchmark Level 1 and 2 and additional controls from MS technet. 5 | version: 2.1.10 6 | maintainer: DevSec Hardening Framework Team 7 | copyright: DevSec Hardening Framework Team 8 | copyright_email: hello@dev-sec.io 9 | license: Apache-2.0 10 | inspec_version: '>= 4.6.3' 11 | supports: 12 | - platform-family: windows 13 | attributes: 14 | - name: level_1_or_2 15 | required: false 16 | description: 'define if you want to execute Level 1 or (Level 1 and Level 2)' 17 | value: 1 18 | type: numeric 19 | - name: ms_or_dc 20 | required: false 21 | description: 'define if you want to execute the profile in the context of a Member Server (MS) or Domain Controller (DC)' 22 | value: 'MS' 23 | type: string 24 | - name: password_history_size 25 | required: false 26 | description: 'define password history size' 27 | value: 24 28 | type: numeric 29 | - name: maximum_password_age 30 | required: false 31 | description: 'define MaximumPasswordAge' 32 | value: 60 33 | type: numeric 34 | - name: se_network_logon_right 35 | required: false 36 | description: 'define which users are allowed to access this computer from the network' 37 | value: ['S-1-5-9', 'S-1-5-32-544'] 38 | type: array 39 | - name: se_interactive_logon_right 40 | required: false 41 | description: 'define which users are allowed to log on locally' 42 | value: ['S-1-5-32-544'] 43 | type: array 44 | - name: se_remote_interactive_logon_right 45 | required: false 46 | description: 'define which users are allowed to log on through Remote Desktop Services' 47 | value: ['S-1-5-32-544'] 48 | type: array 49 | - name: se_backup_privilege 50 | required: false 51 | description: 'define which users are allowed to backup files and directories' 52 | value: ['S-1-5-32-544'] 53 | type: array 54 | - name: se_systemtime_privilege 55 | required: false 56 | description: 'define which users are allowed to change system time' 57 | value: ['S-1-5-19', 'S-1-5-32-544'] 58 | type: array 59 | - name: se_time_zone_privilege 60 | required: false 61 | description: 'define which users are allowed to change system time zone' 62 | value: ['S-1-5-19', 'S-1-5-32-544'] 63 | type: array 64 | - name: se_create_symbolic_link_privilege 65 | required: false 66 | description: 'define which users are allowed to create symbolic links' 67 | value: ['S-1-5-32-544'] 68 | type: array 69 | - name: se_deny_network_logon_right 70 | required: false 71 | description: 'define which users are not allowed to access this computer from the network' 72 | value: ['S-1-5-32-546'] 73 | type: array 74 | - name: se_deny_remote_interactive_logon_right 75 | required: false 76 | description: 'define which users are not allowed to log on through Remote Desktop Services' 77 | value: ['S-1-5-32-546'] 78 | type: array 79 | - name: se_enable_delegation_privilege 80 | required: false 81 | description: 'define which users are allowed to enable computer and user accounts to be trusted' 82 | value: [] 83 | type: array 84 | - name: se_impersonate_privilege 85 | required: false 86 | description: 'define which users are allowed to impersonate a client after authentication' 87 | value: ['S-1-5-19', 'S-1-5-20', 'S-1-5-32-544', 'S-1-5-6'] 88 | type: array 89 | - name: se_load_driver_privilege 90 | required: false 91 | description: 'define which users are allowed to impersonate a client after authentication' 92 | value: ['S-1-5-32-544'] 93 | type: array 94 | - name: se_batch_logon_right 95 | required: false 96 | description: 'define which users are allowed to log on as a batch job' 97 | value: ['S-1-5-32-544', 'S-1-5-32-551'] 98 | type: array 99 | - name: se_security_privilege 100 | required: false 101 | description: 'define which users are allowed to manage auditing and security logs' 102 | value: ['S-1-5-32-544'] 103 | type: array 104 | - name: se_assign_primary_token_privilege 105 | required: false 106 | description: 'define which users are allowed to replace a process level token' 107 | value: ['S-1-5-19', 'S-1-5-20'] 108 | type: array 109 | - name: se_restore_privilege 110 | required: false 111 | description: 'define which users are allowed to restore files and directories' 112 | value: ['S-1-5-32-544'] 113 | type: array 114 | -------------------------------------------------------------------------------- /renovate.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://docs.renovatebot.com/renovate-schema.json", 3 | "extends": [ 4 | "config:base", 5 | ":gitSignOff" 6 | ], 7 | "dependencyDashboard": true, 8 | "dependencyDashboardAutoclose": true, 9 | "packageRules": [ 10 | { 11 | "matchUpdateTypes": ["patch", "minor"], 12 | "automerge": true 13 | } 14 | ] 15 | } 16 | --------------------------------------------------------------------------------