├── .gitignore ├── Gemfile ├── LICENSE ├── README.md ├── Rakefile ├── files └── gp_utils │ ├── lgpo.exe │ ├── policy.inf │ └── rules_list.txt ├── manifests ├── auditpol.pp ├── init.pp └── rules.pp ├── metadata.json ├── spec ├── classes │ └── init_spec.rb └── spec_helper.rb ├── templates ├── import_group_policy.ps1.erb └── import_policy_secedit.ps1.erb └── tests └── init.pp /.gitignore: -------------------------------------------------------------------------------- 1 | pkg -------------------------------------------------------------------------------- /Gemfile: -------------------------------------------------------------------------------- 1 | source 'https://rubygems.org' 2 | 3 | puppetversion = ENV.key?('PUPPET_VERSION') ? "= #{ENV['PUPPET_VERSION']}" : ['>= 3.3'] 4 | gem 'puppet', puppetversion 5 | gem 'puppetlabs_spec_helper', '>= 0.1.0' 6 | gem 'puppet-lint', '>= 0.3.2' 7 | gem 'facter', '>= 1.7.0' 8 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # windows_cis 2 | 3 | ## Overview 4 | 5 | Puppet module which is able *TRULY* apply CIS rules. It can apply security templates and registry-based policy. 6 | 7 | Hardening is made using CIS Benchmark for ALL Scored rules against **_Standalone Windows Server_** 8 | 9 | ## Usage 10 | ```puppet 11 | class { 'windows_cis::rules': 12 | ensure => 'present', 13 | list => 'all', 14 | } 15 | ``` 16 | 17 | This will apply basic *scored* CIS rules for Standalone Server Instance. 18 | Some additional rules also are defined in rules_list.txt 19 | 20 | 21 | ## Rules list 22 | -- 23 | 24 | Based on **CIS Microsoft Windows Server 2012 Benchmark** 25 | 26 | ###### CCE-23909-5 27 | Set 'Account lockout threshold' to '5 invalid logon attempt(s)' (Scored) 28 | 29 | Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy\Account lockout threshold 30 | 31 | ###### CCE-24768-4 32 | Set 'Account lockout duration' to '15 or more minute(s)' (Scored) 33 | 34 | 35 | Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy\Account lockout duration 36 | 37 | ###### CCE-24840-1 38 | Set 'Reset account lockout counter after' to '15 minute(s)' (Scored) 39 | 40 | Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy\Reset account lockout counter after 41 | 42 | ###### CCE-25317-9 43 | Set 'Minimum password length' to '14 or more character(s)' (Scored) 44 | 45 | Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\Minimum password length 46 | 47 | ###### CCE-24644-7 48 | Set 'Enforce password history' to '24 or more password(s)' (Scored) 49 | 50 | Computer Configuration\Windows Settings\Security Settings\Account Policies\Password 51 | Policy\Enforce password history 52 | 53 | ###### CCE-25602-4 54 | Set 'Password must meet complexity requirements' to 'Enabled' (Scored) 55 | 56 | Computer Configuration\Windows Settings\Security Settings\Account Policies\Password 57 | Policy\Password must meet complexity requirements 58 | 59 | ###### CCE-23951-7 60 | Set 'Store passwords using reversible encryption' to 'Disabled' (Scored) 61 | 62 | Computer Configuration\Windows Settings\Security Settings\Account Policies\Password 63 | Policy\Store passwords using reversible encryption 64 | 65 | ###### CCE-24018-4 66 | Set 'Minimum password age' to '1 or more day(s)' (Scored) 67 | 68 | Computer Configuration\Windows Settings\Security Settings\Account Policies\Password 69 | Policy\Minimum password age 70 | 71 | ###### CCE-24535-7 72 | et 'Maximum password age' to '60 or fewer days' (Scored) 73 | 74 | Computer Configuration\Windows Settings\Security Settings\Account Policies\Password 75 | Policy\Maximum password age 76 | 77 | ###### CCE-25088-6 78 | Set 'Audit Policy: Account Logon: Credential Validation' to 'Success and Failure' (Scored) 79 | 80 | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy 81 | Configuration\Audit Policies\Account Logon\Audit Policy: Account Logon: Credential 82 | Validation 83 | 84 | ###### CCE-24553-0 85 | Set 'Audit Policy: Account Logon: Kerberos Authentication Service' to 'No Auditing' (Scored) 86 | 87 | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy 88 | Configuration\Audit Policies\Account Logon\Audit Policy: Account Logon: Kerberos 89 | Authentication Service 90 | 91 | ###### CCE-25549-7 92 | Set 'Audit Policy: Account Logon: Kerberos Service Ticket Operations' to 'No Auditing' (Scored) 93 | 94 | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy 95 | Configuration\Audit Policies\Account Logon\Audit Policy: Account Logon: Kerberos 96 | Service Ticket Operations 97 | 98 | ###### CCE-24509-2 99 | Set 'Audit Policy: Account Logon: Other Account Logon Events' to 'No Auditing' (Scored) 100 | 101 | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy 102 | Configuration\Audit Policies\Account Logon\Audit Policy: Account Logon: Other Account 103 | Logon Events 104 | 105 | ###### CCE-24868-2 106 | Set 'Audit Policy: Account Management: Application Group Management' to 'No Auditing' (Scored) 107 | 108 | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy 109 | Configuration\Audit Policies\Account Management\Audit Policy: Account Management: 110 | Application Group Management 111 | 112 | ###### CCE-23482-3 113 | Configure 'Audit Policy: Account Management: Computer Account Management' (Scored) 114 | 115 | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy 116 | Configuration\Audit Policies\Account Management\Audit Policy: Account Management: 117 | Computer Account Management 118 | 119 | ###### CCE-25739-4 120 | Set 'Audit Policy: Account Management: Distribution Group Management' to 'No Auditing' (Scored) 121 | 122 | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy 123 | Configuration\Audit Policies\Account Management\Audit Policy: Account Management: 124 | Distribution Group Management 125 | 126 | ###### CCE-24588-6 127 | Set 'Audit Policy: Account Management: Other Account Management Events' to 'Success and Failure' (Scored) 128 | 129 | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy 130 | Configuration\Audit Policies\Account Management\Audit Policy: Account Management: 131 | Other Account Management Events 132 | 133 | ###### CCE-23955-8 134 | Set 'Audit Policy: Account Management: Security Group Management' to 'Success and Failure' (Scored) 135 | 136 | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy 137 | Configuration\Audit Policies\Account Management\Audit Policy: Account Management: 138 | Security Group Management 139 | 140 | ###### CCE-25123-1 141 | Set 'Audit Policy: Account Management: User Account Management' to 'Success and Failure' (Scored) 142 | 143 | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy 144 | Configuration\Audit Policies\Account Management\Audit Policy: Account Management: User 145 | Account Management 146 | 147 | ###### CCE-25011-8 148 | Set 'Audit Policy: Detailed Tracking: DPAPI Activity' to 'No Auditing' (Scored) 149 | 150 | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy 151 | Configuration\Audit Policies\Detailed Tracking\Audit Policy: Detailed Tracking: DPAPI 152 | Activity 153 | 154 | ###### CCE-25461-5 155 | Set 'Audit Policy: Detailed Tracking: Process Creation' to 'Success' (Scored) 156 | 157 | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy 158 | Configuration\Audit Policies\Detailed Tracking\Audit Policy: Detailed Tracking: 159 | Process Creation 160 | 161 | ###### CCE-25490-4 162 | Set 'Audit Policy: Detailed Tracking: Process Termination' to 'No Auditing' (Scored) 163 | 164 | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy 165 | Configuration\Audit Policies\Detailed Tracking\Audit Policy: Detailed Tracking: 166 | Process Termination 167 | 168 | ###### CCE-23502-8 169 | Set 'Audit Policy: Detailed Tracking: RPC Events' to 'No Auditing' (Scored) 170 | 171 | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy 172 | Configuration\Audit Policies\Detailed Tracking\Audit Policy: Detailed Tracking: RPC 173 | Events 174 | 175 | 176 | ###### CCE-23619-0[DOMAIN CONTROLLER] 177 | Set 'Audit Policy: DS Access: Detailed Directory Service Replication' to 'No Auditing' (Scored) 178 | 179 | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy 180 | Configuration\Audit Policies\DS Access\Audit Policy: DS Access: Detailed Directory 181 | Service Replication 182 | 183 | 184 | ###### CCE-23953-3[DOMAIN CONTROLLER] 185 | Set 'Audit Policy: DS Access: Directory Service Access' to 'Success and Failure' (Scored) 186 | 187 | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy 188 | Configuration\Audit Policies\DS Access\Audit Policy: DS Access: Directory Service 189 | Access 190 | 191 | 192 | ###### CCE-24645-4[DOMAIN CONTROLLER] 193 | Set 'Audit Policy: DS Access: Directory Service Changes' to 'Success and Failure' (Scored) 194 | 195 | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy 196 | Configuration\Audit Policies\DS Access\Audit Policy: DS Access: Directory Service 197 | Changes 198 | 199 | 200 | ###### CCE-24355-0[DOMAIN CONTROLLER] 201 | Set 'Audit Policy: DS Access: Directory Service Replication' to 'No Auditing' (Scored) 202 | 203 | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy 204 | Configuration\Audit Policies\DS Access\Audit Policy: DS Access: Directory Service 205 | Replication 206 | 207 | ###### CCE-24598-5 208 | Set 'Audit Policy: Logon-Logoff: Account Lockout' to 'No Auditing' (Scored) 209 | 210 | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy 211 | Configuration\Audit Policies\Logon/Logoff\Audit Policy: Logon-Logoff: Account Lockout 212 | 213 | ###### CCE-24404-6 214 | Set 'Audit Policy: Logon-Logoff: IPsec Extended Mode' to 'No Auditing' (Scored) 215 | 216 | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy 217 | Configuration\Audit Policies\Logon/Logoff\Audit Policy: Logon-Logoff: IPsec Extended 218 | Mode 219 | 220 | ###### CCE-24584-5 221 | Set 'Audit Policy: Logon-Logoff: IPsec Main Mode' to 'No Auditing' (Scored) 222 | 223 | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy 224 | Configuration\Audit Policies\Logon/Logoff\Audit Policy: Logon-Logoff: IPsec Main Mode 225 | 226 | ###### CCE-23614-1 227 | Set 'Audit Policy: Logon-Logoff: IPsec Quick Mode' to 'No Auditing' (Scored) 228 | 229 | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy 230 | Configuration\Audit Policies\Logon/Logoff\Audit Policy: Logon-Logoff: IPsec Quick Mode 231 | 232 | ###### CCE-24901-1 233 | Set 'Audit Policy: Logon-Logoff: Logoff' to 'Success' (Scored) 234 | 235 | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy 236 | Configuration\Audit Policies\Logon/Logoff\Audit Policy: Logon-Logoff: Logoff 237 | 238 | ###### CCE-23670-3 239 | Set 'Audit Policy: Logon-Logoff: Logon' to 'Success and Failure' (Scored) 240 | 241 | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy 242 | Configuration\Audit Policies\Logon/Logoff\Audit Policy: Logon-Logoff: Logon 243 | 244 | ###### CCE-25189-2 245 | Set 'Audit Policy: Logon-Logoff: Network Policy Server' to 'No Auditing' (Scored) 246 | 247 | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy 248 | Configuration\Audit Policies\Logon/Logoff\Audit Policy: Logon-Logoff: Network Policy 249 | Server 250 | 251 | ###### CCE-24494-7 252 | Set 'Audit Policy: Logon-Logoff: Other Logon/Logoff Events' to 'No Auditing' (Scored) 253 | 254 | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy 255 | Configuration\Audit Policies\Logon/Logoff\Audit Policy: Logon-Logoff: Other 256 | Logon/Logoff Events 257 | 258 | ###### CCE-24187-7 259 | Set 'Audit Policy: Logon-Logoff: Special Logon' to 'Success' (Scored) 260 | 261 | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy 262 | Configuration\Audit Policies\Logon/Logoff\Audit Policy: Logon-Logoff: Special Logon 263 | 264 | ###### CCE-25316-1 265 | Set 'Audit Policy: Object Access: Application Generated' to 'No Auditing' (Scored) 266 | 267 | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy 268 | Configuration\Audit Policies\Object Access\Audit Policy: Object Access: Application 269 | Generated 270 | 271 | ###### CCE-24643-9 272 | Set 'Audit Policy: Object Access: Central Access Policy Staging' to 'No Auditing' (Scored) 273 | 274 | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy 275 | Configuration\Audit Policies\Object Access\Audit Policy: Object Access: Central Access 276 | Policy Staging 277 | 278 | ###### CCE-23129-0 279 | Set 'Audit Policy: Object Access: Certification Services' to 'No Auditing' (Scored) 280 | 281 | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy 282 | Configuration\Audit Policies\Object Access\Audit Policy: Object Access: Certification 283 | Services 284 | 285 | ###### CCE-24791-6 286 | Set 'Audit Policy: Object Access: Detailed File Share' to 'No Auditing' (Scored) 287 | 288 | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy 289 | Configuration\Audit Policies\Object Access\Audit Policy: Object Access: Detailed File 290 | Share 291 | 292 | ###### CCE-24035-8 293 | Set 'Audit Policy: Object Access: File Share' to 'No Auditing' (Scored) 294 | 295 | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy 296 | Configuration\Audit Policies\Object Access\Audit Policy: Object Access: File Share 297 | 298 | ###### CCE-24456-6 299 | Set 'Audit Policy: Object Access: File System' to 'No Auditing' (Scored) 300 | 301 | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy 302 | Configuration\Audit Policies\Object Access\Audit Policy: Object Access: File System 303 | 304 | ###### CCE-24714-8 305 | Set 'Audit Policy: Object Access: Filtering Platform Connection' to 'No Auditing' (Scored) 306 | 307 | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy 308 | Configuration\Audit Policies\Object Access\Audit Policy: Object Access: Filtering 309 | Platform Connection 310 | 311 | ###### CCE-24824-5 312 | Set 'Audit Policy: Object Access: Filtering Platform Packet Drop' to 'No Auditing' (Scored) 313 | 314 | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy 315 | Configuration\Audit Policies\Object Access\Audit Policy: Object Access: Filtering 316 | Platform Packet Drop 317 | 318 | ###### CCE-24599-3 319 | Set 'Audit Policy: Object Access: Handle Manipulation' to 'No Auditing' (Scored) 320 | 321 | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy 322 | Configuration\Audit Policies\Object Access\Audit Policy: Object Access: Handle 323 | Manipulation 324 | 325 | ###### CCE-23655-4 326 | Set 'Audit Policy: Object Access: Kernel Object' to 'No Auditing' (Scored) 327 | 328 | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy 329 | Configuration\Audit Policies\Object Access\Audit Policy: Object Access: Kernel Object 330 | 331 | ###### CCE-24236-2 332 | Set 'Audit Policy: Object Access: Other Object Access Events' to 'No Auditing' (Scored) 333 | 334 | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy 335 | Configuration\Audit Policies\Object Access\Audit Policy: Object Access: Other Object 336 | Access Events 337 | 338 | ###### CCE-23630-7 339 | Set 'Audit Policy: Object Access: Registry' to 'No Auditing' (Scored) 340 | 341 | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy 342 | Configuration\Audit Policies\Object Access\Audit Policy: Object Access: Registry 343 | 344 | ###### CCE-22826-2 345 | Set 'Audit Policy: Object Access: Removable Storage' to 'No Auditing' (Scored) 346 | 347 | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy 348 | Configuration\Audit Policies\Object Access\Audit Policy: Object Access: Removable 349 | Storage 350 | 351 | ###### CCE-24439-2 352 | Set 'Audit Policy: Object Access: SAM' to 'No Auditing' (Scored) 353 | 354 | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy 355 | Configuration\Audit Policies\Object Access\Audit Policy: Object Access: SAM 356 | 357 | ###### CCE-25035-7 358 | Set 'Audit Policy: Policy Change: Audit Policy Change' to 'Success and Failure' (Scored) 359 | 360 | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy 361 | Configuration\Audit Policies\Policy Change\Audit Policy: Policy Change: Audit Policy 362 | Change 363 | 364 | ###### CCE-25674-3 365 | Set 'Audit Policy: Policy Change: Authentication Policy Change' to 'Success' (Scored) 366 | 367 | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy 368 | Configuration\Audit Policies\Policy Change\Audit Policy: Policy Change: Authentication 369 | Policy Change 370 | 371 | ###### CCE-24421-0 372 | Set 'Audit Policy: Policy Change: Authorization Policy Change' to 'No Auditing' (Scored) 373 | 374 | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy 375 | Configuration\Audit Policies\Policy Change\Audit Policy: Policy Change: Authorization 376 | Policy Change 377 | 378 | ###### CCE-24965-6 379 | Set 'Audit Policy: Policy Change: Filtering Platform Policy Change' to 'No Auditing' (Scored) 380 | 381 | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy 382 | Configuration\Audit Policies\Policy Change\Audit Policy: Policy Change: Filtering 383 | Platform Policy Change 384 | 385 | ###### CCE-24259-4 386 | Set 'Audit Policy: Policy Change: MPSSVC Rule-Level Policy Change' to 'No Auditing' (Scored) 387 | 388 | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy 389 | Configuration\Audit Policies\Policy Change\Audit Policy: Policy Change: MPSSVC Rule- 390 | Level Policy Change 391 | 392 | ###### CCE-25169-4 393 | Set 'Audit Policy: Policy Change: Other Policy Change Events' to 'No Auditing' (Scored) 394 | 395 | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy 396 | Configuration\Audit Policies\Policy Change\Audit Policy: Policy Change: Other Policy 397 | Change Events 398 | 399 | ###### CCE-23876-6 400 | Set 'Audit Policy: Privilege Use: Non Sensitive Privilege Use' to 'No Auditing' (Scored) 401 | 402 | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy 403 | Configuration\Audit Policies\Privilege Use\Audit Policy: Privilege Use: Non Sensitive 404 | Privilege Use 405 | 406 | ###### CCE-23920-2 407 | Set 'Audit Policy: Privilege Use: Other Privilege Use Events' to 'No Auditing' (Scored) 408 | 409 | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy 410 | Configuration\Audit Policies\Privilege Use\Audit Policy: Privilege Use: Other 411 | Privilege Use Events 412 | 413 | ###### CCE-24691-8 414 | Set 'Audit Policy: Privilege Use: Sensitive Privilege Use' to 'Success and Failure' (Scored) 415 | 416 | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy 417 | Configuration\Audit Policies\Privilege Use\Audit Policy: Privilege Use: Sensitive 418 | Privilege Use 419 | 420 | ###### CCE-25372-4 421 | Set 'Audit Policy: System: IPsec Driver' to 'Success and Failure' (Scored) 422 | 423 | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy 424 | Configuration\Audit Policies\System\Audit Policy: System: IPsec Driver 425 | 426 | ###### CCE-25187-6 427 | Set 'Audit Policy: System: Other System Events' to 'No Auditing' (Scored) 428 | 429 | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy 430 | Configuration\Audit Policies\System\Audit Policy: System: Other System Events 431 | 432 | ###### CCE-25178-5 433 | Set 'Audit Policy: System: Security State Change' to 'Success and Failure' (Scored) 434 | 435 | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy 436 | Configuration\Audit Policies\System\Audit Policy: System: Security State Change 437 | 438 | ###### CCE-25527-3 439 | Set 'Audit Policy: System: Security System Extension' to 'Success and Failure' (Scored) 440 | 441 | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy 442 | Configuration\Audit Policies\System\Audit Policy: System: Security System Extension 443 | 444 | ###### CCE-25093-6 445 | Set 'Audit Policy: System: System Integrity' to 'Success and Failure' (Scored) 446 | 447 | Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy 448 | Configuration\Audit Policies\System\Audit Policy: System: System Integrity 449 | 450 | ###### CCE-23836-0 451 | Configure 'Accounts: Rename administrator account' (Scored) 452 | 453 | Default Value: Administrator 454 | 455 | ###### CCE-23675-2 456 | Configure 'Accounts: Rename guest account' (Scored) 457 | 458 | Default Value: Guest 459 | 460 | ###### CCE-25589-3 461 | Set 'Accounts: Limit local account use of blank passwords to console logon only' to 'Enabled' (Scored) 462 | 463 | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse 464 | 465 | ###### CCE-24075-4 466 | Configure 'Audit: Audit the access of global system objects' (Not Scored) 467 | 468 | Default Value: Disabled 469 | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\AuditBaseObjects 470 | 471 | ###### CCE-24923-5 472 | Configure 'Audit: Audit the use of Backup and Restore privilege' (Not Scored) 473 | 474 | Default Value: Disabled 475 | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\fullprivilegeauditing 476 | 477 | ###### CCE-24252-9 478 | Set 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' to 'Enabled' (Scored) 479 | 480 | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security 481 | Options\Audit: Force audit policy subcategory settings (Windows Vista or later) to 482 | override audit policy category settings 483 | 484 | ###### CCE-23988-9 485 | Set 'Audit: Shut down system immediately if unable to log security audits' to 'Disabled' (Scored) 486 | 487 | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Audit: Shut down system immediately if unable to log security audits 488 | 489 | ###### CCE-24640-5 490 | Configure 'DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax' (Not Scored) 491 | 492 | HKEY_LOCAL_MACHINE\Software\policies\Microsoft\windows NT\DCOM\MachineAccessRestriction 493 | 494 | ###### CCE-25572-9 495 | Configure 'DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax' (Not Scored) 496 | 497 | HKEY_LOCAL_MACHINE\Software\policies\Microsoft\windows NT\DCOM\MachineLaunchRestriction 498 | 499 | ###### CCE-25248-6 500 | Configure 'Devices: Allow undock without having to log on' (Not Scored) 501 | 502 | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\undockwithoutlogon 503 | 504 | ###### CCE-24607-4 505 | Configure 'Devices: Restrict CD-ROM access to locally logged- on user only' (Not Scored) 506 | 507 | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateCDRoms 508 | 509 | ###### CCE-23668-7 510 | Configure 'Devices: Restrict floppy access to locally logged-on user only' (Not Scored) 511 | 512 | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateFloppies 513 | 514 | ###### CCE-25217-1 515 | Set 'Devices: Allowed to format and eject removable media' to 'Administrators' (Scored) 516 | 517 | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security 518 | Options\Devices: Allowed to format and eject removable media 519 | 520 | ###### CCE-25176-9 521 | Set 'Devices: Prevent users from installing printer drivers' to 'Enabled' (Scored) 522 | 523 | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Devices: Prevent users from installing printer drivers 524 | 525 | 526 | ###### CCE-25305-4[DOMAIN CONTROLLER] 527 | Set 'Domain controller: Allow server operators to schedule tasks' to 'Disabled' (Scored) 528 | 529 | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Domain controller: Allow server operators to schedule tasks 530 | 531 | 532 | ###### CCE-23587-9[DOMAIN CONTROLLER] 533 | Set 'Domain controller: LDAP server signing requirements' to 'Require signing' (Scored) 534 | 535 | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Domain controller: LDAP server signing requirements 536 | 537 | 538 | ###### CCE-24692-6[DOMAIN CONTROLLER] 539 | Set 'Domain controller: Refuse machine account password changes' to 'Disabled' (Scored) 540 | 541 | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Domain controller: Refuse machine account password changes 542 | 543 | 544 | ###### CCE-24465-7[DOMAIN CONTROLLER] 545 | Set 'Domain member: Digitally encrypt or sign secure channel data (always)' to 'Enabled' (Scored) 546 | 547 | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security 548 | Options\Domain member: Digitally encrypt or sign secure channel data (always) 549 | 550 | 551 | ###### CCE-24414-5[DOMAIN CONTROLLER] 552 | Set 'Domain member: Digitally encrypt secure channel data (when possible)' to 'Enabled' (Scored) 553 | 554 | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security 555 | Options\Domain member: Digitally encrypt secure channel data (when possible) 556 | 557 | 558 | ###### CCE-24812-0[DOMAIN CONTROLLER] 559 | Set 'Domain member: Digitally sign secure channel data (when possible)' to 'Enabled' (Scored) 560 | 561 | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Domain member: Digitally sign secure channel data (when possible) 562 | 563 | 564 | ###### CCE-24243-8[DOMAIN CONTROLLER] 565 | Set 'Domain member: Disable machine account password changes' to 'Disabled' (Scored) 566 | 567 | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security 568 | Options\Domain member: Disable machine account password changes 569 | 570 | 571 | ###### CCE-23596-0[DOMAIN CONTROLLER] 572 | Set 'Domain member: Maximum machine account password age' to '30 or fewer day(s)' (Scored) 573 | 574 | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Domain member: Maximum machine account password age 575 | 576 | 577 | ###### CCE-25198-3[DOMAIN CONTROLLER] 578 | Set 'Domain member: Require strong (Windows 2000 or later) session key' to 'Enabled' (Scored) 579 | 580 | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Domain member: Require strong (Windows 2000 or later) session key 581 | 582 | ###### CCE-25018-3 583 | Configure 'Interactive logon: Display user information when the session is locked' (Not Scored) 584 | 585 | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDispl 586 | ayLockedUserId 587 | 588 | ###### CCE-25355-9 589 | Configure 'Interactive logon: Message text for users attempting to log on' (Scored) 590 | 591 | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoti 592 | ceText 593 | 594 | ###### CCE-24020-0 595 | Configure 'Interactive logon: Message title for users attempting to log on' (Scored) 596 | 597 | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoti 598 | ceCaption 599 | 600 | ###### CCE-24408-7 601 | Configure 'Interactive logon: Require smart card' (Not Scored) 602 | 603 | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\scforceop 604 | tion 605 | 606 | ###### CCE-24748-6 607 | Set 'Interactive logon: Do not display last user name' to 'Enabled' (Scored) 608 | 609 | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security 610 | Options\Interactive logon: Do not display last user name 611 | 612 | ###### CCE-25803-8 613 | Set 'Interactive logon: Do not require CTRL+ALT+DEL' to 'Disabled' (Scored) 614 | 615 | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security 616 | Options\Interactive logon: Do not require CTRL+ALT+DEL 617 | 618 | ###### CCE-23043-3 619 | Set 'Interactive logon: Machine inactivity limit' to '900 or fewer seconds' (Scored) 620 | 621 | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security 622 | Options\Interactive logon: Machine inactivity limit 623 | 624 | 625 | ###### CCE-24264-4[DOMAIN CONTROLLER] 626 | Set 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' to '4 or fewer logon(s)' (Scored) 627 | 628 | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security 629 | Options\Interactive logon: Number of previous logons to cache (in case domain 630 | controller is not available) 631 | 632 | ###### CCE-23704-0 633 | Set 'Interactive logon: Prompt user to change password before expiration' to '14 or more day(s)' (Scored) 634 | 635 | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security 636 | Options\Interactive logon: Prompt user to change password before expiration 637 | 638 | 639 | ###### CCE-25643-8[DOMAIN CONTROLLER] 640 | Set 'Interactive logon: Require Domain Controller authentication to unlock workstation' to 'Disabled' (Scored) 641 | 642 | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security 643 | Options\Interactive logon: Require Domain Controller authentication to unlock 644 | workstation 645 | 646 | ###### CCE-24154-7 647 | Set 'Interactive logon: Smart card removal behavior' to 'Lock Workstation' (Scored) 648 | 649 | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security 650 | Options\Interactive logon: Smart card removal behavior 651 | 652 | ###### CCE-22731-4 653 | Set 'Interactive logon: Machine account lockout threshold' to 10 or fewer invalid logon attempts (Scored) 654 | 655 | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security 656 | Options\Interactive logon: Machine account lockout threshold 657 | 658 | 659 | ###### CCE-24969-8[SIDE EFFECT] 660 | Set 'Microsoft network client: Digitally sign communications (always)' to 'Enabled' (Scored) 661 | 662 | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security 663 | Options\Microsoft network client: Digitally sign communications (always) 664 | 665 | ###### CCE-24740-3 666 | Set 'Microsoft network client: Digitally sign communications (if server agrees)' to 'Enabled' (Scored) 667 | 668 | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security 669 | Options\Microsoft network client: Digitally sign communications (if server agrees) 670 | 671 | ###### CCE-24751-0 672 | Set 'Microsoft network client: Send unencrypted password to third-party SMB servers' to 'Disabled' (Scored) 673 | 674 | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security 675 | Options\Microsoft network client: Send unencrypted password to third-party SMB servers 676 | 677 | ###### CCE-24502-7 678 | Configure 'Microsoft network server: Server SPN target name validation level' (Not Scored)' 679 | 680 | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\SMBServer 681 | NameHardeningLevel 682 | 683 | ###### CCE-23897-2 684 | Set 'Microsoft network server: Amount of idle time required before suspending session' to '15 or fewer minute(s)' (Scored) 685 | 686 | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security 687 | Options\Microsoft network server: Amount of idle time required before suspending 688 | session 689 | 690 | ###### CCE-23716-4 691 | Set 'Microsoft network server: Digitally sign communications (always)' to 'Enabled' (Scored) 692 | 693 | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security 694 | Options\Microsoft network server: Digitally sign communications (always) 695 | 696 | ###### CCE-24354-3 697 | Set 'Microsoft network server: Digitally sign communications (if client agrees)' to 'Enabled' (Scored) 698 | 699 | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security 700 | Options\Microsoft network server: Digitally sign communications (if client agrees) 701 | 702 | ###### CCE-24148-9 703 | Set 'Microsoft network server: Disconnect clients when logon hours expire' to 'Enabled' (Scored) 704 | 705 | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security 706 | Options\Microsoft network server: Disconnect clients when logon hours expire 707 | 708 | ###### CCE-24205-7 709 | Configure 'MSS: (AutoReboot) Allow Windows to automatically restart after a system crash (recommended except for highly secure environments)' (Not Scored) 710 | 711 | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\AutoReboot 712 | 713 | ###### CCE-24217-2 714 | Configure 'MSS: (AutoShareServer) Enable Administrative Shares (recommended except for highly secure environments)' (Not Scored) 715 | 716 | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters\AutoShare 717 | Server 718 | 719 | 720 | ###### CCE-24977-1[SIDE EFFECT] 721 | Configure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' (Not Scored) 722 | 723 | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirect 724 | 725 | ###### CCE-24074-7 726 | Configure 'MSS: (Hidden) Hide Computer From the Browse List (not recommended except for highly secure environments)' (Not Scored) 727 | 728 | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Lanmanserver\Parameters\Hidden 729 | 730 | ###### CCE-24310-5 731 | Configure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' (Not Scored) 732 | 733 | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveTime 734 | 735 | ###### CCE-24253-7 736 | Configure 'MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic.' (Not Scored) 737 | 738 | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IPSEC\NoDefaultExempt 739 | 740 | ###### CCE-23715-6 741 | Configure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' (Not Scored) 742 | 743 | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netbt\Parameters\NoNameReleaseOnD 744 | emand 745 | 746 | ###### CCE-23677-8 747 | Configure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' (Not Scored) 748 | 749 | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\PerformRouterDis 750 | covery 751 | 752 | ###### CCE-25202-3 753 | Configure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)' (Not Scored) 754 | 755 | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip6\Parameters\TcpMaxDataRetra 756 | nsmissions 757 | 758 | ###### CCE-25455-7 759 | Configure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)' (Not Scored) 760 | 761 | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxDataRetran 762 | smissions 763 | 764 | ###### CCE-24927-6 765 | Set 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' to 'Disabled' (Scored) 766 | 767 | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security 768 | Options\MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) 769 | 770 | ###### CCE-24452-5 771 | Set 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' to 'Highest protection, source routing is completely disabled' (Scored) 772 | 773 | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security 774 | Options\MSS: (DisableIPSourceRouting IPv6) IP source routing protection level 775 | (protects against packet spoofing) 776 | 777 | ###### CCE-24968-0 778 | Set 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' to 'Highest protection, source routing is completely disabled' (Scored) 779 | 780 | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security 781 | Options\MSS: (DisableIPSourceRouting) IP source routing protection level (protects 782 | against packet spoofing) 783 | 784 | ###### CCE-23462-5 785 | Set 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' to 'Enabled' (Scored) 786 | 787 | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security 788 | Options\MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) 789 | 790 | ###### CCE-24993-8 791 | Set 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' to '0' (Scored) 792 | 793 | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security 794 | Options\MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver 795 | grace period expires (0 recommended) 796 | 797 | ###### CCE-25110-8 798 | Set 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' to '0.9 or less' (Scored) 799 | 800 | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security 801 | Options\MSS: (WarningLevel) Percentage threshold for the security event log at which 802 | the system will generate a warning 803 | 804 | ###### CCE-23358-5 805 | Configure 'Network access: Do not allow storage of passwords and credentials for network authentication' (Not Scored) 806 | 807 | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCreds 808 | 809 | ###### CCE-25466-4 810 | Configure 'Network access: Named Pipes that can be accessed anonymously' (Not Scored) 811 | 812 | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessi 813 | onPipes 814 | 815 | ###### CCE-25592-7 816 | Configure 'Network access: Shares that can be accessed anonymously' (Not Scored) 817 | 818 | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessi 819 | onShares 820 | 821 | ###### CCE-24597-7 822 | Set 'Network access: Allow anonymous SID/Name translation' to 'Disabled' (Scored) 823 | 824 | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security 825 | Options\Network access: Allow anonymous SID/Name translation 826 | 827 | ###### CCE-24774-2 828 | Set 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' to 'Enabled' (Scored) 829 | 830 | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security 831 | Options\Network access: Do not allow anonymous enumeration of SAM accounts and shares 832 | 833 | ###### CCE-23082-1 834 | Set 'Network access: Do not allow anonymous enumeration of SAM accounts' to 'Enabled' (Scored) 835 | 836 | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security 837 | Options\Network access: Do not allow anonymous enumeration of SAM accounts 838 | 839 | ###### CCE-23807-1 840 | Set 'Network access: Let Everyone permissions apply to anonymous users' to 'Disabled' (Scored) 841 | 842 | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security 843 | Options\Network access: Let Everyone permissions apply to anonymous users 844 | 845 | 846 | ###### CCE-25426-8131. Set 'Network access: Remotely accessible registry paths and sub-paths' to 'System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog icrosoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Softwar (Scored) 847 | 848 | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Remotely accessible registry paths and sub-paths 849 | 850 | Set to: 851 | System\CurrentControlSet\Control\Print\Printers 852 | System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server 853 | Software\Microsoft\Windows NT\CurrentVersion\Print 854 | Software\Microsoft\Windows NT\CurrentVersion\Windows 855 | System\CurrentControlSet\Control\ContentIndex 856 | System\CurrentControlSet\Control\Terminal Server 857 | System\CurrentControlSet\Control\Terminal Server\UserConfig 858 | System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration 859 | Software\Microsoft\Windows NT\CurrentVersion\Prefab 860 | System\CurrentControlSet\Services\SysmonLog 861 | 862 | 863 | ###### CCE-23899-8132. Set 'Network access: Remotely accessible registry paths' to 'System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications icrosoft\Windows NT\CurrentVersion' (Scored) 864 | 865 | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Remotely accessible registry paths 866 | 867 | Set to: 868 | System\CurrentControlSet\Control\ProductOptions 869 | System\CurrentControlSet\Control\Server Applications 870 | Software\Microsoft\Windows NT\CurrentVersion 871 | 872 | ###### CCE-24564-7 873 | Set 'Network access: Restrict anonymous access to Named Pipes and Shares' to 'Enabled' (Scored) 874 | 875 | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security 876 | Options\Network access: Restrict anonymous access to Named Pipes and Shares 877 | 878 | ###### CCE-22742-1 879 | Set 'Network access: Sharing and security model for local accounts' to 'Classic - local users authenticate as themselves' (Scored) 880 | 881 | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security 882 | Options\Network access: Sharing and security model for local accounts 883 | 884 | ###### CCE-25299-9 885 | Configure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' (Not Scored) 886 | 887 | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u\AllowOnlineID 888 | 889 | ###### CCE-24147-1 890 | Configure 'Network Security: Configure encryption types allowed for Kerberos' (Not Scored) 891 | 892 | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\ 893 | Parameters\SupportedEncryptionTypes 894 | 895 | ###### CCE-25367-4 896 | Configure 'Network security: Force logoff when logon hours expire' (Not Scored) 897 | 898 | WHAT??! 899 | 900 | ###### CCE-25046-4 901 | Configure 'Network Security: Restrict NTLM: Add remote server exceptions for NTLM authentication' (Not Scored) 902 | 903 | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\ClientAllowedNTLMServers 904 | 905 | ###### CCE-23483-1 906 | Configure 'Network Security: Restrict NTLM: Add server exceptions in this domain' (Not Scored) 907 | 908 | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DCAllowedNTLM Servers 909 | 910 | ###### CCE-23338-7 911 | Configure 'Network Security: Restrict NTLM: Audit Incoming NTLM Traffic' (Not Scored) 912 | 913 | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\AuditReceivingNTLMTraffic 914 | 915 | ###### CCE-24238-8 916 | Configure 'Network Security: Restrict NTLM: Audit NTLM authentication in this domain' (Not Scored) 917 | 918 | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\AuditNTLMInDomain 919 | 920 | ###### CCE-24393-1 921 | Configure 'Network Security: Restrict NTLM: Incoming NTLM traffic' (Not Scored) 922 | 923 | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\RestrictReceivingNTLMTraffic 924 | 925 | ###### CCE-25645-3 926 | Configure 'Network Security: Restrict NTLM: NTLM authentication in this domain' (Not Scored) 927 | 928 | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RestrictNTLMInDomain 929 | 930 | ###### CCE-25095-1 931 | Configure 'Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers' (Not Scored) 932 | 933 | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\RestrictSendingNTLMTraffic 934 | 935 | 936 | ###### CCE-25508-3[DOMAIN CONTROLLER] 937 | Set 'Network security: Allow Local System to use computer identity for NTLM' to 'Enabled' (Scored) 938 | 939 | Computer Configuration\Windows Settings\Security Settings\Local Policies\SecurityOptions\Network security: Allow Local System to use computer identity for NTLM 940 | 941 | 942 | ###### CCE-25531-5[DOMAIN CONTROLLER] 943 | Set 'Network security: Allow LocalSystem NULL session fallback' to 'Disabled' (Scored) 944 | 945 | Computer Configuration\Windows Settings\Security Settings\Local Policies\SecurityOptions\Network security: Allow LocalSystem NULL session fallback 946 | 947 | ###### CCE-24150-5 948 | Set 'Network security: Do not store LAN Manager hash value on next password change' to 'Enabled' (Scored) 949 | 950 | Computer Configuration\Windows Settings\Security Settings\Local Policies\SecurityOptions\Network security: Do not store LAN Manager hash value on next password change 951 | 952 | ###### CCE-24650-4 953 | Set 'Network security: LAN Manager authentication level' to 'Send NTLMv2 response only. Refuse LM & NTLM' (Scored) 954 | 955 | Computer Configuration\Windows Settings\Security Settings\Local Policies\SecurityOptions\Network security: LAN Manager authentication level 956 | 957 | ###### CCE-25245-2 958 | Set 'Network security: LDAP client signing requirements' to 'Negotiate signing' (Scored) 959 | 960 | Computer Configuration\Windows Settings\Security Settings\Local Policies\SecurityOptions\Network security: LDAP client signing requirements 961 | 962 | 963 | ###### CCE-24783-3[SIDE EFFECT] 964 | Set 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' to 'Require NTLMv2 session security,Require 128-bit encryption' (Scored) 965 | 966 | Computer Configuration\Windows Settings\Security Settings\Local Policies\SecurityOptions\Network security: Minimum session security for NTLM SSP based (including secure RPC) client 967 | 968 | ###### CCE-25264-3 969 | Set 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' to 'Require NTLMv2 session security,Require 128-bit encryption' (Scored) 970 | 971 | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Minimum session security for NTLM SSP based (including secure RPC) servers 972 | 973 | ###### CCE-24470-7 974 | Set 'Recovery console: Allow automatic administrative logon' to 'Disabled' (Scored) 975 | 976 | Computer Configuration\Windows Settings\Security Settings\Local Policies\SecurityOptions\Recovery console: Allow automatic administrative logon 977 | 978 | ###### CCE-25274-2 979 | Set 'Recovery console: Allow floppy copy and access to all drives and all folders' to 'Disabled' (Scored) 980 | 981 | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Recovery console: Allow floppy copy and access to all drives and all folders 982 | 983 | ###### CCE-25100-9 984 | Set 'Shutdown: Allow system to be shut down without having to log on' to 'Disabled' (Scored) 985 | 986 | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security 987 | Options\Shutdown: Allow system to be shut down without having to log on 988 | 989 | ###### CCE-25120-7 990 | Set 'Shutdown: Clear virtual memory pagefile' to 'Disabled' (Scored) 991 | 992 | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security 993 | Options\Shutdown: Clear virtual memory pagefile 994 | 995 | ###### CCE-23711-5 996 | Configure 'System cryptography: Force strong key protection for user keys stored on the computer' (Not Scored) 997 | 998 | HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Cryptography\ForceKeyProtection 999 | 1000 | ###### CCE-23921-0 1001 | Set 'System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing' to 'Enabled' (Scored) 1002 | 1003 | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security 1004 | Options\System cryptography: Use FIPS compliant algorithms for encryption, hashing, 1005 | and signing 1006 | 1007 | ###### CCE-24870-8 1008 | Set 'System objects: Require case insensitivity for non- Windows subsystems' to 'Enabled' (Scored) 1009 | 1010 | Computer Configuration\Windows Settings\Security Settings\Local Policies\SecurityOptions\System objects: Require case insensitivity for non-Windows subsystems 1011 | 1012 | ###### CCE-24633-0 1013 | Set 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' to 'Enabled' (Scored) 1014 | 1015 | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security 1016 | Options\System objects: Strengthen default permissions of internal system objects 1017 | (e.g. Symbolic Links) 1018 | 1019 | ###### CCE-24878-1 1020 | Configure 'System settings: Optional subsystems' (Not Scored) 1021 | 1022 | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\SubSystems\optional 1023 | 1024 | ###### CCE-24939-1 1025 | Set 'System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies' to 'Enabled' (Scored) 1026 | 1027 | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security 1028 | Options\System settings: Use Certificate Rules on Windows Executables for Software 1029 | Restriction Policies 1030 | 1031 | ###### CCE-24134-9 1032 | Set 'User Account Control: Admin Approval Mode for the Built-in Administrator account' to 'Enabled' (Scored) 1033 | 1034 | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Admin Approval Mode for the Built-in Administrator account 1035 | 1036 | ###### CCE-23295-9 1037 | Set 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' to 'Disabled' (Scored) 1038 | 1039 | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop 1040 | 1041 | ###### CCE-23877-4 1042 | Set 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' to 'Prompt for consent for non-Windows binaries' (Scored) 1043 | 1044 | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Behaviour of the elevation prompt for administrators in Admin Approval Mode 1045 | 1046 | ###### CCE-24519-1 1047 | Set 'User Account Control: Behavior of the elevation prompt for standard users' to 'Prompt for credentials' (Scored) 1048 | 1049 | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Behavior of the elevation prompt for standard users 1050 | 1051 | ###### CCE-24498-8 1052 | Set 'User Account Control: Detect application installations and prompt for elevation' to 'Enabled' (Scored) 1053 | 1054 | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Detect application installations and prompt for 1055 | elevation 1056 | 1057 | ###### CCE-23880-8 1058 | Set 'User Account Control: Only elevate executables that are signed and validated' to 'Disabled' (Scored) 1059 | 1060 | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Only elevate executables that are signed and validated 1061 | 1062 | ###### CCE-25471-4 1063 | Set 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' to 'Enabled' (Scored) 1064 | 1065 | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Only elevate UIAccess applications that are installed in 1066 | secure locations 1067 | 1068 | ###### CCE-23653-9 1069 | Set 'User Account Control: Run all administrators in Admin Approval Mode' to 'Enabled' (Scored) 1070 | 1071 | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Run all administrators in Admin Approval Mode 1072 | 1073 | ###### CCE-23656-2 1074 | Set 'User Account Control: Switch to the secure desktop when prompting for elevation' to 'Enabled' (Scored) 1075 | 1076 | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Switch to the secure desktop when prompting for elevation 1077 | 1078 | ###### CCE-24231-3 1079 | Set 'User Account Control: Virtualize file and registry write failures to per-user locations' to 'Enabled' (Scored) 1080 | 1081 | Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Virtualize file and registry write failures to per-user locations 1082 | 1083 | ###### CCE-23273-6 1084 | Configure 'Deny log on through Remote Desktop Services' (Not Scored) 1085 | 1086 | Optional 1087 | 1088 | ###### CCE-25619-8 1089 | Configure 'Log on as a service' (Not Scored) 1090 | 1091 | Optional 1092 | 1093 | ###### CCE-25683-4 1094 | Set 'Access Credential Manager as a trusted caller' to 'No One' (Scored) 1095 | 1096 | Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Access Credential Manager as a trusted caller 1097 | 1098 | ###### CCE-24938-3 1099 | Configure 'Access this computer from the network' (Scored) 1100 | 1101 | Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Access this computer from the network 1102 | 1103 | The recommended state for this setting is: 1104 | - Administrators, Authenticated Users 1105 | 1106 | ###### CCE-25043-1 1107 | Set 'Act as part of the operating system' to 'No One' (Scored) 1108 | 1109 | Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Act as part of the operating system 1110 | 1111 | 1112 | ###### CCE-23271-0[DOMAIN CONTROLLER] 1113 | Set 'Add workstations to domain' to 'Administrators' (Scored) 1114 | 1115 | Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Add workstations to domain 1116 | 1117 | ###### CCE-25112-4 1118 | Set 'Adjust memory quotas for a process' to 'Administrators, Local Service, Network Service' (Scored) 1119 | 1120 | Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Adjust memory quotas for a process 1121 | 1122 | ###### CCE-25228-8 1123 | Set 'Allow log on locally' to 'Administrators' (Scored) 1124 | 1125 | Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow log on locally 1126 | 1127 | ###### CCE-24406-1 1128 | Set 'Allow log on through Remote Desktop Services' to 'Administrators' (Scored) 1129 | 1130 | Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow log on through Remote Desktop Services 1131 | 1132 | ###### CCE-25380-7 1133 | Set 'Back up files and directories' to 'Administrators' (Scored) 1134 | 1135 | Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Back up files and directories 1136 | 1137 | ###### CCE-25271-8 1138 | Configure 'Bypass traverse checking' (Scored) 1139 | 1140 | Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights 1141 | Assignment\Bypass traverse checking 1142 | 1143 | The recommended state for this setting is: 1144 | - Administrators, Authenticated Users, Backup Operators, Local Service, Network Service. 1145 | 1146 | ###### CCE-24185-1 1147 | Set 'Change the system time' to 'LOCAL SERVICE, Administrators' (Scored) 1148 | 1149 | Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Change the system time 1150 | 1151 | Set the following Group Policy setting to: 1152 | - LOCAL SERVICE, Administrators. 1153 | 1154 | ###### CCE-24632-2 1155 | Set 'Change the time zone' to 'LOCAL SERVICE, Administrators' (Scored) 1156 | 1157 | Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Change the time zone 1158 | 1159 | Set the following Group Policy setting to: 1160 | - LOCAL SERVICE, Administrators. 1161 | 1162 | ###### CCE-23972-3 1163 | Set 'Create a pagefile' to 'Administrators' (Scored) 1164 | 1165 | Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Create a pagefile 1166 | 1167 | ###### CCE-23939-2 1168 | Set 'Create a token object' to 'No One' (Scored) 1169 | 1170 | Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Create a token object 1171 | 1172 | ###### CCE-23850-1 1173 | Set 'Create global objects' to 'Administrators, SERVICE, LOCAL SERVICE, NETWORK SERVICE' (Scored) 1174 | 1175 | Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Create global objects 1176 | 1177 | ###### CCE-23723-0 1178 | Set 'Create permanent shared objects' to 'No One' (Scored) 1179 | 1180 | Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Create permanent shared objects 1181 | 1182 | ###### CCE-24549-8 1183 | Set 'Create symbolic links' to 'Administrators' (Scored) 1184 | 1185 | Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Create symbolic links 1186 | 1187 | 1188 | ###### CCE-23648-9[SIDE EFFECT] 1189 | Set 'Debug programs' to 'Administrators' (Scored) 1190 | 1191 | Windows Product Updates may stop responding or may use most or all the CPU resources, in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=100747). 1192 | 1193 | Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Debug programs 1194 | 1195 | ###### CCE-24188-5 1196 | Set 'Deny access to this computer from the network' to 'Guests' (Scored) 1197 | 1198 | Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny access to this computer from the network 1199 | 1200 | ###### CCE-25215-5 1201 | Set 'Deny log on as a batch job' to 'Guests' (Scored) 1202 | 1203 | Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny log on as a batch job 1204 | 1205 | ###### CCE-23117-5 1206 | Set 'Deny log on as a service' to 'No One' (Scored) 1207 | 1208 | Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny log on as a service 1209 | 1210 | ###### CCE-24460-8 1211 | Set 'Deny log on locally' to 'Guests' (Scored) 1212 | 1213 | Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny log on locally 1214 | 1215 | 1216 | ## Limitations 1217 | 1218 | Windows only ofc 1219 | 1220 | -------------------------------------------------------------------------------- /Rakefile: -------------------------------------------------------------------------------- 1 | require 'rubygems' 2 | require 'puppetlabs_spec_helper/rake_tasks' 3 | require 'puppet-lint/tasks/puppet-lint' 4 | PuppetLint.configuration.send('disable_80chars') 5 | PuppetLint.configuration.ignore_paths = ["spec/**/*.pp", "pkg/**/*.pp"] 6 | 7 | desc "Validate manifests, templates, and ruby files" 8 | task :validate do 9 | Dir['manifests/**/*.pp'].each do |manifest| 10 | sh "puppet parser validate --noop #{manifest}" 11 | end 12 | Dir['spec/**/*.rb','lib/**/*.rb'].each do |ruby_file| 13 | sh "ruby -c #{ruby_file}" unless ruby_file =~ /spec\/fixtures/ 14 | end 15 | Dir['templates/**/*.erb'].each do |template| 16 | sh "erb -P -x -T '-' #{template} | ruby -c" 17 | end 18 | end 19 | -------------------------------------------------------------------------------- /files/gp_utils/lgpo.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/noma4i/puppet-windows_cis/c0b4fe652341ad3eeaa1580167ef0ba066532a78/files/gp_utils/lgpo.exe -------------------------------------------------------------------------------- /files/gp_utils/policy.inf: -------------------------------------------------------------------------------- 1 | [Unicode] 2 | Unicode=yes 3 | [System Access] 4 | MinimumPasswordAge = 0 5 | MaximumPasswordAge = 42 6 | MinimumPasswordLength = 0 7 | PasswordComplexity = 1 8 | PasswordHistorySize = 0 9 | LockoutBadCount = 5 10 | ResetLockoutCount = 35 11 | LockoutDuration = 35 12 | RequireLogonToChangePassword = 0 13 | ForceLogoffWhenHourExpire = 0 14 | NewAdministratorName = "Administrator" 15 | NewGuestName = "Guest" 16 | ClearTextPassword = 0 17 | LSAAnonymousNameLookup = 0 18 | EnableAdminAccount = 1 19 | EnableGuestAccount = 0 20 | [Event Audit] 21 | AuditSystemEvents = 0 22 | AuditLogonEvents = 0 23 | AuditObjectAccess = 0 24 | AuditPrivilegeUse = 0 25 | AuditPolicyChange = 0 26 | AuditAccountManage = 0 27 | AuditProcessTracking = 0 28 | AuditDSAccess = 0 29 | AuditAccountLogon = 0 30 | [Version] 31 | signature="$CHICAGO$" 32 | Revision=1 33 | [Registry Values] 34 | MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel=4,0 35 | MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SetCommand=4,0 36 | MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount=1,"10" 37 | MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ForceUnlockLogon=4,0 38 | MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning=4,5 39 | MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption=1,"0" 40 | MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin=4,5 41 | MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser=4,3 42 | MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD=4,0 43 | MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUserName=4,0 44 | MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection=4,1 45 | MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA=4,1 46 | MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths=4,1 47 | MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle=4,0 48 | MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization=4,1 49 | MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken=4,0 50 | MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption=1,"" 51 | MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText=7, 52 | MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop=4,1 53 | MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ScForceOption=4,0 54 | MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWithoutLogon=4,0 55 | MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\UndockWithoutLogon=4,1 56 | MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures=4,0 57 | MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\AuthenticodeEnabled=4,0 58 | MACHINE\System\CurrentControlSet\Control\Lsa\AuditBaseObjects=4,0 59 | MACHINE\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail=4,0 60 | MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCreds=4,0 61 | MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous=4,0 62 | MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\Enabled=4,0 63 | MACHINE\System\CurrentControlSet\Control\Lsa\ForceGuest=4,0 64 | MACHINE\System\CurrentControlSet\Control\Lsa\FullPrivilegeAuditing=3,0 65 | MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse=4,1 66 | MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec=4,536870912 67 | MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec=4,536870912 68 | MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash=4,1 69 | MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous=4,0 70 | MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM=4,1 71 | MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\AddPrinterDrivers=4,1 72 | MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths\Machine=7,System\CurrentControlSet\Control\ProductOptions,System\CurrentControlSet\Control\Server Applications,Software\Microsoft\Windows NT\CurrentVersion 73 | MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\Machine=7,System\CurrentControlSet\Control\Print\Printers,System\CurrentControlSet\Services\Eventlog,Software\Microsoft\OLAP Server,Software\Microsoft\Windows NT\CurrentVersion\Print,Software\Microsoft\Windows NT\CurrentVersion\Windows,System\CurrentControlSet\Control\ContentIndex,System\CurrentControlSet\Control\Terminal Server,System\CurrentControlSet\Control\Terminal Server\UserConfig,System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration,Software\Microsoft\Windows NT\CurrentVersion\Perflib,System\CurrentControlSet\Services\SysmonLog 74 | MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel\ObCaseInsensitive=4,1 75 | MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown=4,0 76 | MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode=4,1 77 | MACHINE\System\CurrentControlSet\Control\Session Manager\SubSystems\optional=7, 78 | MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoDisconnect=4,15 79 | MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForcedLogOff=4,1 80 | MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature=4,0 81 | MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionPipes=7,HydraLsPipe,TermServLicensing 82 | MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature=4,0 83 | MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RestrictNullSessAccess=4,1 84 | MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword=4,0 85 | MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature=4,1 86 | MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature=4,0 87 | MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity=4,1 88 | MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange=4,0 89 | MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge=4,30 90 | MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal=4,1 91 | MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongKey=4,1 92 | MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel=4,1 93 | MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel=4,1 94 | [Privilege Rights] 95 | SeNetworkLogonRight = *S-1-1-0,*S-1-5-32-544,*S-1-5-32-545,*S-1-5-32-551 96 | SeBackupPrivilege = *S-1-5-32-544,*S-1-5-32-551 97 | SeChangeNotifyPrivilege = *S-1-1-0,*S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-32-545,*S-1-5-32-551,*S-1-5-90-0 98 | SeSystemtimePrivilege = *S-1-5-19,*S-1-5-32-544 99 | SeCreatePagefilePrivilege = *S-1-5-32-544 100 | SeDebugPrivilege = *S-1-5-32-544 101 | SeRemoteShutdownPrivilege = *S-1-5-32-544 102 | SeAuditPrivilege = *S-1-5-19,*S-1-5-20 103 | SeIncreaseQuotaPrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-32-544 104 | SeIncreaseBasePriorityPrivilege = *S-1-5-32-544 105 | SeLoadDriverPrivilege = *S-1-5-32-544 106 | SeBatchLogonRight = *S-1-5-32-544,*S-1-5-32-551,*S-1-5-32-559,*S-1-5-32-568 107 | SeServiceLogonRight = *S-1-5-80-0 108 | SeInteractiveLogonRight = *S-1-5-32-544,*S-1-5-32-545,*S-1-5-32-551 109 | SeSecurityPrivilege = *S-1-5-32-544 110 | SeSystemEnvironmentPrivilege = *S-1-5-32-544 111 | SeProfileSingleProcessPrivilege = *S-1-5-32-544 112 | SeSystemProfilePrivilege = *S-1-5-32-544,*S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420 113 | SeAssignPrimaryTokenPrivilege = *S-1-5-19,*S-1-5-20 114 | SeRestorePrivilege = *S-1-5-32-544,*S-1-5-32-551 115 | SeShutdownPrivilege = *S-1-5-32-544,*S-1-5-32-551 116 | SeTakeOwnershipPrivilege = *S-1-5-32-544 117 | SeUndockPrivilege = *S-1-5-32-544 118 | SeManageVolumePrivilege = *S-1-5-32-544 119 | SeRemoteInteractiveLogonRight = *S-1-5-32-544,*S-1-5-32-555 120 | SeImpersonatePrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-32-568,*S-1-5-6 121 | SeCreateGlobalPrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-32-544,*S-1-5-6 122 | SeIncreaseWorkingSetPrivilege = *S-1-5-32-545,*S-1-5-90-0 123 | SeTimeZonePrivilege = *S-1-5-19,*S-1-5-32-544 124 | SeCreateSymbolicLinkPrivilege = *S-1-5-32-544 125 | -------------------------------------------------------------------------------- /files/gp_utils/rules_list.txt: -------------------------------------------------------------------------------- 1 | Computer 2 | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer 3 | NoDriveTypeAutoRun 4 | DWORD:255 5 | 6 | Computer 7 | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\WAU 8 | Disabled 9 | DWORD:1 10 | 11 | Computer 12 | Software\Microsoft\Windows\CurrentVersion\Policies\Ext 13 | NoFirsttimeprompt 14 | DWORD:1 15 | 16 | Computer 17 | Software\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar 18 | TurnOffSidebar 19 | DWORD:1 20 | 21 | Computer 22 | Software\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar 23 | TurnOffUserInstalledGadgets 24 | DWORD:1 25 | 26 | Computer 27 | Software\Policies\Microsoft\Internet Explorer\LinksBar 28 | Enabled 29 | DWORD:0 30 | 31 | Computer 32 | Software\Policies\Microsoft\Internet Explorer\PhishingFilter 33 | Enabled 34 | DWORD:2 35 | 36 | Computer 37 | Software\Policies\Microsoft\Internet Explorer\Recovery 38 | AutoRecover 39 | DWORD:2 40 | 41 | Computer 42 | Software\Policies\Microsoft\Internet Explorer\Restrictions 43 | NoCrashDetection 44 | DWORD:1 45 | 46 | Computer 47 | Software\Policies\Microsoft\SystemCertificates\DPNGRA\Certificates 48 | * 49 | CREATEKEY 50 | 51 | Computer 52 | Software\Policies\Microsoft\SystemCertificates\DPNGRA\CRLs 53 | * 54 | CREATEKEY 55 | 56 | Computer 57 | Software\Policies\Microsoft\SystemCertificates\DPNGRA\CTLs 58 | * 59 | CREATEKEY 60 | 61 | Computer 62 | Software\Policies\Microsoft\SystemCertificates\FVE\Certificates 63 | * 64 | CREATEKEY 65 | 66 | Computer 67 | Software\Policies\Microsoft\SystemCertificates\FVE\CRLs 68 | * 69 | CREATEKEY 70 | 71 | Computer 72 | Software\Policies\Microsoft\SystemCertificates\FVE\CTLs 73 | * 74 | CREATEKEY 75 | 76 | Computer 77 | Software\Policies\Microsoft\Windows\Safer 78 | * 79 | CREATEKEY 80 | 81 | Computer 82 | Software\Policies\Microsoft\Windows NT\Terminal Services 83 | DisablePasswordSaving 84 | DWORD:1 85 | 86 | Computer 87 | Software\Policies\Microsoft\Windows NT\Terminal Services 88 | fDisableAutoReconnect 89 | DWORD:0 90 | 91 | Computer 92 | Software\Policies\Microsoft\Windows NT\Terminal Services 93 | fDisableCam 94 | DWORD:1 95 | 96 | Computer 97 | Software\Policies\Microsoft\Windows NT\Terminal Services 98 | fDisableAudioCapture 99 | DWORD:1 100 | 101 | Computer 102 | Software\Policies\Microsoft\Windows NT\Terminal Services 103 | AllowedAudioQualityMode 104 | DELETE 105 | 106 | Computer 107 | Software\Policies\Microsoft\Windows NT\Terminal Services 108 | fDisableCcm 109 | DWORD:1 110 | 111 | Computer 112 | Software\Policies\Microsoft\Windows NT\Terminal Services 113 | fDisableClip 114 | DWORD:1 115 | 116 | Computer 117 | Software\Policies\Microsoft\Windows NT\Terminal Services 118 | fDisableCdm 119 | DWORD:1 120 | 121 | Computer 122 | Software\Policies\Microsoft\Windows NT\Terminal Services 123 | fDisableLPT 124 | DWORD:1 125 | 126 | Computer 127 | Software\Policies\Microsoft\Windows NT\Terminal Services 128 | fDisablePNPRedir 129 | DWORD:1 130 | 131 | Computer 132 | Software\Policies\Microsoft\Windows NT\Terminal Services 133 | fEnableSmartCard 134 | DWORD:0 135 | 136 | Computer 137 | Software\Policies\Microsoft\Windows NT\Terminal Services 138 | fEnableTimeZoneRedirection 139 | DWORD:1 140 | 141 | Computer 142 | Software\Policies\Microsoft\Windows NT\Terminal Services 143 | fDisableCpm 144 | DWORD:1 145 | 146 | -------------------------------------------------------------------------------- /manifests/auditpol.pp: -------------------------------------------------------------------------------- 1 | class windows_cis::auditpol() { 2 | # CCE-25088-6 3 | auditpol { 'Credential Validation': 4 | success => 'enable', 5 | failure => 'enable' 6 | } 7 | # CCE-24553-0 8 | auditpol { 'Kerberos Authentication Service': 9 | success => 'disable', 10 | failure => 'disable' 11 | } 12 | # CCE-25549-7 13 | auditpol { 'Kerberos Service Ticket Operations': 14 | success => 'disable', 15 | failure => 'disable' 16 | } 17 | # CCE-24509-2 18 | auditpol { 'Other Account Logon Events': 19 | success => 'disable', 20 | failure => 'disable' 21 | } 22 | # CCE-24868-2 23 | auditpol { 'Application Group Management': 24 | success => 'disable', 25 | failure => 'disable' 26 | } 27 | # CCE-23482-3 28 | auditpol { 'Computer Account Management': 29 | success => 'enable', 30 | failure => 'enable' 31 | } 32 | # CCE-25739-4 33 | auditpol { 'Distribution Group Management': 34 | success => 'disable', 35 | failure => 'disable' 36 | } 37 | # CCE-24588-6 38 | auditpol { 'Other Account Management Events': 39 | success => 'enable', 40 | failure => 'enable' 41 | } 42 | # CCE-23955-8 43 | # auditpol { 'Security Group Management': 44 | # success => 'enable', 45 | # failure => 'enable' 46 | # } 47 | # CCE-25123-1 48 | auditpol { 'User Account Management': 49 | success => 'enable', 50 | failure => 'enable' 51 | } 52 | # CCE-25011-8 53 | auditpol { 'DPAPI Activity': 54 | success => 'disable', 55 | failure => 'disable' 56 | } 57 | # CCE-25461-5 58 | auditpol { 'Process Creation': 59 | success => 'enable', 60 | failure => 'disable' 61 | } 62 | # CCE-25490-4 63 | auditpol { 'Process Termination': 64 | success => 'disable', 65 | failure => 'disable' 66 | } 67 | # CCE-23502-8 68 | auditpol { 'RPC Events': 69 | success => 'disable', 70 | failure => 'disable' 71 | } 72 | # CCE-24598-5 73 | auditpol { 'Account Lockout': 74 | success => 'disable', 75 | failure => 'disable' 76 | } 77 | # CCE-24404-6 78 | auditpol { 'IPsec Extended Mode': 79 | success => 'disable', 80 | failure => 'disable' 81 | } 82 | # CCE-24584-5 83 | auditpol { 'IPsec Main Mode': 84 | success => 'disable', 85 | failure => 'disable' 86 | } 87 | # CCE-23614-1 88 | auditpol { 'IPsec Quick Mode': 89 | success => 'disable', 90 | failure => 'disable' 91 | } 92 | # CCE-24901-1 93 | auditpol { 'Logoff': 94 | success => 'enable', 95 | failure => 'disable' 96 | } 97 | # CCE-23670-3 98 | auditpol { 'Logon': 99 | success => 'enable', 100 | failure => 'enable' 101 | } 102 | # CCE-25189-2 103 | auditpol { 'Network Policy Server': 104 | success => 'disable', 105 | failure => 'disable' 106 | } 107 | # CCE-24494-7 108 | auditpol { 'Other Logon/Logoff Events': 109 | success => 'disable', 110 | failure => 'disable' 111 | } 112 | # CCE-24187-7 113 | auditpol { 'Special Logon': 114 | success => 'enable', 115 | failure => 'disable' 116 | } 117 | # CCE-25316-1 118 | auditpol { 'Application Generated': 119 | success => 'disable', 120 | failure => 'disable' 121 | } 122 | # CCE-24643-9 123 | auditpol { 'Central Policy Staging': 124 | success => 'disable', 125 | failure => 'disable' 126 | } 127 | # CCE-23129-0 128 | auditpol { 'Certification Services': 129 | success => 'disable', 130 | failure => 'disable' 131 | } 132 | # CCE-24791-6 133 | auditpol { 'Detailed File Share': 134 | success => 'disable', 135 | failure => 'disable' 136 | } 137 | # CCE-24035-8 138 | auditpol { 'File Share': 139 | success => 'disable', 140 | failure => 'disable' 141 | } 142 | # CCE-24456-6 143 | auditpol { 'File System': 144 | success => 'disable', 145 | failure => 'disable' 146 | } 147 | # CCE-24714-8 148 | auditpol { 'Filtering Platform Connection': 149 | success => 'disable', 150 | failure => 'disable' 151 | } 152 | # CCE-24824-5 153 | auditpol { 'Filtering Platform Packet Drop': 154 | success => 'disable', 155 | failure => 'disable' 156 | } 157 | # CCE-24599-3 158 | auditpol { 'Handle Manipulation': 159 | success => 'disable', 160 | failure => 'disable' 161 | } 162 | # CCE-23655-4 163 | auditpol { 'Kernel Object': 164 | success => 'disable', 165 | failure => 'disable' 166 | } 167 | # CCE-24236-2 168 | auditpol { 'Other Object Access Events': 169 | success => 'disable', 170 | failure => 'disable' 171 | } 172 | # CCE-23630-7 173 | auditpol { 'Registry': 174 | success => 'disable', 175 | failure => 'disable' 176 | } 177 | # CCE-22826-2 178 | auditpol { 'Removable Storage': 179 | success => 'disable', 180 | failure => 'disable' 181 | } 182 | # CCE-24439-2 183 | auditpol { 'SAM': 184 | success => 'disable', 185 | failure => 'disable' 186 | } 187 | # CCE-25035-7 188 | auditpol { 'Audit Policy Change': 189 | success => 'enable', 190 | failure => 'enable' 191 | } 192 | # CCE-25674-3 193 | auditpol { 'Authentication Policy Change': 194 | success => 'enable', 195 | failure => 'disable' 196 | } 197 | # CCE-24421-0 198 | auditpol { 'Authorization Policy Change': 199 | success => 'disable', 200 | failure => 'disable' 201 | } 202 | # CCE-24965-6 203 | auditpol { 'Filtering Platform Policy Change': 204 | success => 'disable', 205 | failure => 'disable' 206 | } 207 | # CCE-24259-4 208 | auditpol { 'MPSSVC Rule-Level Policy Change': 209 | success => 'disable', 210 | failure => 'disable' 211 | } 212 | # CCE-25169-4 213 | auditpol { 'Other Policy Change Events': 214 | success => 'disable', 215 | failure => 'disable' 216 | } 217 | # CCE-23876-6 218 | auditpol { 'Non Sensitive Privilege Use': 219 | success => 'disable', 220 | failure => 'disable' 221 | } 222 | # CCE-23920-2 223 | auditpol { 'Other Privilege Use Events': 224 | success => 'disable', 225 | failure => 'disable' 226 | } 227 | # CCE-24691-8 228 | auditpol { 'Sensitive Privilege Use': 229 | success => 'enable', 230 | failure => 'enable' 231 | } 232 | # CCE-25372-4 233 | auditpol { 'IPsec Driver': 234 | success => 'enable', 235 | failure => 'enable' 236 | } 237 | # CCE-25187-6 238 | auditpol { 'Other System Events': 239 | success => 'disable', 240 | failure => 'disable' 241 | } 242 | # CCE-25178-5 243 | auditpol { 'Security State Change': 244 | success => 'enable', 245 | failure => 'enable' 246 | } 247 | # CCE-25527-3 248 | auditpol { 'Security System Extension': 249 | success => 'enable', 250 | failure => 'enable' 251 | } 252 | # CCE-25093-6 253 | auditpol { 'System Integrity': 254 | success => 'enable', 255 | failure => 'enable' 256 | } 257 | 258 | } 259 | -------------------------------------------------------------------------------- /manifests/init.pp: -------------------------------------------------------------------------------- 1 | class windows_cis() { 2 | $gp_utils_folder = 'C:\\ProgramData\\gp_utils' 3 | file { $gp_utils_folder: 4 | ensure => directory, 5 | recurse => true, 6 | source_permissions => ignore, 7 | source => 'puppet:///modules/windows_cis/gp_utils' 8 | } 9 | } 10 | -------------------------------------------------------------------------------- /manifests/rules.pp: -------------------------------------------------------------------------------- 1 | class windows_cis::rules( 2 | $ensure = 'enabled', 3 | $list = undef, 4 | ) { 5 | include windows_cis 6 | include windows_cis::auditpol 7 | case $ensure { 8 | 'enabled', 'present': { 9 | if $list == 'all' { 10 | exec { 'run LGP import': 11 | command => template('windows_cis/import_group_policy.ps1.erb'), 12 | provider => 'powershell' 13 | } 14 | exec { 'run Secedit import': 15 | command => template('windows_cis/import_policy_secedit.ps1.erb'), 16 | provider => 'powershell' 17 | } 18 | } 19 | } 20 | default: { 21 | fail('Invalid ensure option!\n') 22 | } 23 | } 24 | } -------------------------------------------------------------------------------- /metadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "noma4i-windows_cis", 3 | "version": "0.1.3", 4 | "author": "noma4i", 5 | "summary": "Implementation of CIS Microsoft Windows Server Benchmark", 6 | "license": "Apache-2.0", 7 | "source": "https://github.com/noma4i/puppet-windows_cis", 8 | "project_page": "https://github.com/noma4i/puppet-windows_cis", 9 | "issues_url": "https://github.com/noma4i/puppet-windows_cis/issues", 10 | "operatingsystem_support": [ 11 | { 12 | "operatingsystem": "Windows", 13 | "operatingsystemrelease": [ 14 | "Server 2008", 15 | "Server 2008 R2", 16 | "Server 2012", 17 | "Server 2012 R2" 18 | ] 19 | } 20 | ], 21 | "dependencies": [ 22 | {"name":"joshcooper/powershell","version_requirement":">= 0.0.5 <5.0.0"}, 23 | {"name":"jonono-auditpol","version_requirement":">= 0.1.2 <5.0.0"} 24 | ] 25 | } 26 | 27 | -------------------------------------------------------------------------------- /spec/classes/init_spec.rb: -------------------------------------------------------------------------------- 1 | require 'spec_helper' 2 | describe 'windows_cis' do 3 | 4 | context 'with defaults for all parameters' do 5 | it { should contain_class('windows_cis') } 6 | end 7 | end 8 | -------------------------------------------------------------------------------- /spec/spec_helper.rb: -------------------------------------------------------------------------------- 1 | require 'puppetlabs_spec_helper/module_spec_helper' 2 | -------------------------------------------------------------------------------- /templates/import_group_policy.ps1.erb: -------------------------------------------------------------------------------- 1 | Set-Location -Path "<%= scope.lookupvar('windows_cis::gp_utils_folder') %>" 2 | iex "cmd.exe /c <%= scope.lookupvar('windows_cis::gp_utils_folder') %>\lgpo.exe rules_list.txt /log <%= scope.lookupvar('windows_cis::gp_utils_folder') %>\log.txt /error <%= scope.lookupvar('windows_cis::gp_utils_folder') %>\log.txt" -------------------------------------------------------------------------------- /templates/import_policy_secedit.ps1.erb: -------------------------------------------------------------------------------- 1 | secedit /import /cfg "<%= scope.lookupvar('windows_cis::gp_utils_folder') %>\policy.inf" /db "C:\Windows\Temp\policyDB.sdb" 2 | secedit /configure /db "C:\Windows\Temp\policyDB.sdb" 3 | iex "cmd.exe /c gpupdate.exe" -------------------------------------------------------------------------------- /tests/init.pp: -------------------------------------------------------------------------------- 1 | # The baseline for module testing used by Puppet Labs is that each manifest 2 | # should have a corresponding test manifest that declares that class or defined 3 | # type. 4 | # 5 | # Tests are then run by using puppet apply --noop (to check for compilation 6 | # errors and view a log of events) or by fully applying the test in a virtual 7 | # environment (to compare the resulting system state to the desired state). 8 | # 9 | # Learn more about module testing here: 10 | # http://docs.puppetlabs.com/guides/tests_smoke.html 11 | # 12 | include windows_cis 13 | --------------------------------------------------------------------------------