From f797641817550b7fe1c70dd76dac98a1aed3b908 Mon Sep 17 00:00:00 2001 From: David Federlein Date: Mon, 10 Aug 2020 10:01:47 -0500 Subject: [PATCH] Commit master from downstream. Signed-off-by: David Federlein --- .gitignore | 42 + CONTRIBUTING.rst | 53 + LICENSE | 21 + README.md | 48 + defaults/main.yml | 393 ++++ handlers/main.yml | 4 + meta/main.yml | 22 + site.yml | 9 + tasks/cat1.yml | 650 ++++++ tasks/cat2.yml | 5552 +++++++++++++++++++++++++++++++++++++++++++++ tasks/cat3.yml | 283 +++ tasks/main.yml | 52 + tasks/prelim.yml | 23 + 13 files changed, 7152 insertions(+) create mode 100644 .gitignore create mode 100644 CONTRIBUTING.rst create mode 100644 LICENSE create mode 100644 README.md create mode 100644 defaults/main.yml create mode 100644 handlers/main.yml create mode 100644 meta/main.yml create mode 100644 site.yml create mode 100644 tasks/cat1.yml create mode 100644 tasks/cat2.yml create mode 100644 tasks/cat3.yml create mode 100644 tasks/main.yml create mode 100644 tasks/prelim.yml diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..c46be6d --- /dev/null +++ b/.gitignore @@ -0,0 +1,42 @@ +.env +*.log +*.retry +.vagrant +tests/*redhat-subscription +tests/Dockerfile +*.iso +*.box +packer_cache +delete* +ignore* +# VSCode +.vscode + +# Byte-compiled / optimized / DLL files +__pycache__/ +*.py[cod] +*$py.class + +# DS_Store +.DS_Store +._* + +# Linux Editors +*~ +\#*\# +/.emacs.desktop +/.emacs.desktop.lock +.elc +auto-save-list +tramp +.\#* +*.swp +*.swo +rh-creds.env +travis.env + +# Lockdown-specific +benchparse/ +*xccdf.xml +*.retry + diff --git a/CONTRIBUTING.rst b/CONTRIBUTING.rst new file mode 100644 index 0000000..14a8ffe --- /dev/null +++ b/CONTRIBUTING.rst @@ -0,0 +1,53 @@ +Contributing to MindPoint Group Projects +======================================== + +Signing your contribution +------------------------- + +We've chosen to use the Developer's Certificate of Origin (DCO) method +that is employed by the Linux Kernel Project, which provides a simple +way to contribute to MindPoint Group projects. + +The process is to certify the below DCO 1.1 text +:: + + Developer's Certificate of Origin 1.1 + + By making a contribution to this project, I certify that: + + (a) The contribution was created in whole or in part by me and I + have the right to submit it under the open source license + indicated in the file; or + + (b) The contribution is based upon previous work that, to the best + of my knowledge, is covered under an appropriate open source + license and I have the right under that license to submit that + work with modifications, whether created in whole or in part + by me, under the same open source license (unless I am + permitted to submit under a different license), as indicated + in the file; or + + (c) The contribution was provided directly to me by some other + person who certified (a), (b) or (c) and I have not modified + it. + + (d) I understand and agree that this project and the contribution + are public and that a record of the contribution (including all + personal information I submit with it, including my sign-off) is + maintained indefinitely and may be redistributed consistent with + this project or the open source license(s) involved. +:: + +Then, when it comes time to submit a contribution, include the +following text in your contribution commit message: + +:: + + Signed-off-by: Joan Doe + +:: + + +This message can be entered manually, or if you have configured git +with the correct `user.name` and `user.email`, you can use the `-s` +option to `git commit` to automatically include the signoff message. diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..c3ae2c5 --- /dev/null +++ b/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2020 Mindpoint Group / Lockdown Enterprise + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/README.md b/README.md new file mode 100644 index 0000000..86dfbb7 --- /dev/null +++ b/README.md @@ -0,0 +1,48 @@ +Windows Server 2019 DISA STIG +========= + +Configure a Windows Server 2019 system to be DISA STIG compliant. All findings will be audited by default. Non-disruptive CAT I, CAT II, and CAT III findings will be corrected by default. ~Disruptive finding remediation can be enabled by setting `rhel7stig_disruption_high` to `yes`.~ _To be implemented_ + +This role is based on Windows Server 2019 DISA STIG: [Version 1, Rel 9 released on July 26, 2019](Need URL HEre). + +Requirements +------------ + +Windows Server 2019 - Other versions are not supported. + +Dependencies +------------ + +The following packages must be installed on the controlling host/host where ansible is executed: + +- passlib (or python2-passlib, if using python2) +- python-lxml +- python-xmltodict +- python-jmespath +- pywinrm + +Package 'python-xmltodict' is required if you enable the OpenSCAP tool installation and run a report. Packages python(2)-passlib and python-jmespath are required for tasks with custom filters or modules. These are all required on the controller host that executes Ansible. + +Role Variables +-------------- + +Please see the Ansible docs for understanding [variable precedence](https://docs.ansible.com/ansible/latest/user_guide/playbooks_variables.html#variable-precedence-where-should-i-put-a-variable) to tailor for your needs. + +| Name | Default Value | Description | +|--------------------------|-----------------------------------------------------|----------------------| +| `win2019stig_cat1_patch` | `yes` see defaults/main.yml](./defaults/main.yml) | Correct CAT I findings | +| `win2019stig_cat2_patch` | `yes` see defaults/main.yml](./defaults/main.yml) | Correct CAT II findings | +| `win2019stig_cat3_patch` | `yes` see defaults/main.yml](./defaults/main.yml) | Correct CAT III findings | +| `wn19_##_######` | [see defaults/main.yml](./defaults/main.yml) | Individual variables to enable/disable each STIG ID. | + +Example Playbook +---------------- + +Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: + + - hosts: servers + roles: + - role: win-2k16-stig + when: + - ansible_os_family == 'Windows' + - ansible_distribution | regex_search('(Server 2016)') diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100644 index 0000000..7811f53 --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1,393 @@ +--- +win2019stig_cat1_patch: yes +win2019stig_cat2_patch: yes +win2019stig_cat3_patch: yes + +win2019stig_min_ansible_version: "2.6" + +# We've defined complexity-high to mean that we cannot automatically remediate +# the rule in question. In the future this might mean that the remediation +# may fail in some cases. +win2019stig_complexity_high: no + +# Show "changed" for complex items not remediated per complexity-high setting +# to make them stand out. "changed" items on a second run of the role would +# indicate items requiring manual review. +win2019stig_audit_complex: yes + +# We've defined disruption-high to indicate items that are likely to cause +# disruption in a normal workflow. These items can be remediated automatically +# but are disabled by default to avoid disruption. +win2019stig_disruption_high: no + +# Show "changed" for disruptive items not remediated per disruption-high +# setting to make them stand out. +win2019stig_audit_disruptive: yes + +win2019stig_skip_for_travis: false + +win2019stig_workaround_for_disa_benchmark: true +win2019stig_workaround_for_ssg_benchmark: true + +# tweak role to run in a non-privileged container +win2019stig_system_is_container: no + +#set to false to skip tasks that either have not been developed or cannot be automated +is_implemented: false + +#set to false to skip long running tasks +long_running: false + +# These variables correspond with the STIG IDs defined in the STIG and allows you to enable/disable specific rules. +# PLEASE NOTE: These work in coordination with the cat1, cat2, cat3 group variables. You must enable an entire group +# in order for the variables below to take effect. +# CAT 1 rules +wn19_00_000010: true +wn19_00_000030: true +wn19_00_000100: true +wn19_00_000110: true +wn19_00_000130: true +wn19_cc_000210: true +wn19_cc_000220: true +wn19_cc_000230: true +wn19_dc_000010: true +wn19_dc_000070: true +wn19_dc_000080: true +wn19_dc_000090: true +wn19_dc_000100: true +wn19_dc_000110: true +wn19_dc_000150: true +wn19_dc_000290: true +wn19_dc_000300: true +wn19_ms_000010: true +wn19_ms_000140: true +wn19_so_000230: true +wn19_so_000240: true +wn19_so_000250: true +wn19_so_000300: true +wn19_so_000310: true +wn19_ur_000020: true +wn19_ur_000100: true + +# CAT 2 rules +wn19_00_000020: true +wn19_00_000040: true +wn19_00_000050: true +wn19_00_000060: true +wn19_00_000070: true +wn19_00_000080: true +wn19_00_000090: true +wn19_00_000120: true +wn19_00_000140: true +wn19_00_000150: true +wn19_00_000160: true +wn19_00_000170: true +wn19_00_000190: true +wn19_00_000200: true +wn19_00_000210: true +wn19_00_000220: true +wn19_00_000230: true +wn19_00_000240: true +wn19_00_000250: true +wn19_00_000260: true +wn19_00_000270: true +wn19_00_000280: true +wn19_00_000290: true +wn19_00_000300: true +wn19_00_000310: true +wn19_00_000320: true +wn19_00_000330: true +wn19_00_000340: true +wn19_00_000350: true +wn19_00_000360: true +wn19_00_000370: true +wn19_00_000380: true +wn19_00_000390: true +wn19_00_000400: true +wn19_00_000410: true +wn19_00_000420: true +wn19_00_000430: true +wn19_00_000450: true +wn19_ac_000020: true +wn19_ac_000030: wn19_ac_000020 +wn19_ac_000010: wn19_ac_000030 +wn19_ac_000040: true +wn19_ac_000050: true +wn19_ac_000060: true +wn19_ac_000070: true +wn19_ac_000080: true +wn19_ac_000090: true +wn19_au_000010: true +wn19_au_000020: true +wn19_au_000030: true +wn16_au_000040: true +wn19_au_000050: true +wn19_au_000060: true +wn19_au_000070: true +wn19_au_000080: true +wn19_au_000090: true +wn19_au_000100: true +wn19_au_000110: true +wn19_au_000120: true +wn19_au_000130: true +wn19_au_000140: true +wn19_au_000150: true +wn19_au_000160: true +wn19_au_000170: true +wn19_au_000180: true +wn19_au_000190: true +wn19_au_000200: true +wn19_au_000210: true +wn19_au_000220: true +wn19_au_000230: true +wn19_au_000240: true +wn19_au_000250: true +wn19_au_000260: true +wn19_au_000270: true +wn19_au_000280: true +wn19_au_000290: true +wn19_au_000300: true +wn19_au_000310: true +wn19_au_000320: true +wn19_au_000330: true +wn19_au_000340: true +wn19_au_000350: true +wn19_au_000360: true +wn19_au_000370: true +wn19_au_000380: true +wn19_au_000390: true +wn19_cc_000010: true +wn19_cc_000020: true +wn19_cc_000070: true +wn19_cc_000080: true +wn19_cc_000090: true +wn19_cc_000100: true +wn19_cc_000110: true +wn19_cc_000130: true +wn19_cc_000140: true +wn19_cc_000150: true +wn19_cc_000160: true +wn19_cc_000170: true +wn19_cc_000180: true +wn19_cc_000190: true +wn19_cc_000240: true +wn19_cc_000250: true +wn19_cc_000260: true +wn19_cc_000270: true +wn19_cc_000280: true +wn19_cc_000290: true +wn19_cc_000300: true +wn19_cc_000310: true +wn19_cc_000330: true +wn19_cc_000340: true +wn19_cc_000350: true +wn19_cc_000360: true +wn19_cc_000370: true +wn19_cc_000380: true +wn19_cc_000390: true +wn19_cc_000400: true +wn19_cc_000410: true +wn19_cc_000420: true +wn19_cc_000430: true +wn19_cc_000440: true +wn19_cc_000450: true +wn19_cc_000460: true +wn19_cc_000470: true +wn19_cc_000480: true +wn19_cc_000490: true +wn19_cc_000500: true +wn19_cc_000510: true +wn19_cc_000520: true +wn19_dc_000020: true +wn19_dc_000030: true +wn19_dc_000040: true +wn19_dc_000050: true +wn19_dc_000060: true +wn19_dc_000120: true +wn16_dc_000130: true +wn19_dc_000140: true +wn19_dc_000170: true +wn19_dc_000180: true +wn19_dc_000190: true +wn19_dc_000200: true +wn19_dc_000210: true +wn19_dc_000220: true +wn19_dc_000230: true +wn19_dc_000240: true +wn19_dc_000250: true +wn19_dc_000260: true +wn19_dc_000270: true +wn19_dc_000280: true +wn19_dc_000310: true +wn19_dc_000320: true +wn19_dc_000330: true +wn19_dc_000340: true +wn19_dc_000350: true +wn19_dc_000360: true +wn19_dc_000370: true +wn19_dc_000380: true +wn19_dc_000390: true +wn19_dc_000400: true +wn19_dc_000410: true +wn19_dc_000420: true +wn19_dc_000430: true +wn19_ep_000010: true +wn19_ep_000020: true +wn19_ep_000030: true +wn19_ep_000040: true +wn19_ep_000050: true +wn19_ep_000060: true +wn19_ep_000070: true +wn19_ep_000080: true +wn19_ep_000090: true +wn19_ep_000100: true +wn19_ep_000110: true +wn19_ep_000120: true +wn19_ep_000130: true +wn19_ep_000140: true +wn19_ep_000150: true +wn19_ep_000160: true +wn19_ep_000170: true +wn19_ep_000180: true +wn19_ep_000190: true +wn19_ep_000200: true +wn19_ep_000210: true +wn19_ep_000220: true +wn19_ep_000230: true +wn19_ep_000240: true +wn19_ep_000250: true +wn19_ep_000260: true +wn19_ep_000270: true +wn19_ep_000280: true +wn19_ep_000290: true +wn19_ms_000020: true +wn19_ms_000030: true +wn19_ms_000040: true +wn19_ms_000050: true +wn19_ms_000060: true +wn19_ms_000070: true +wn19_ms_000080: true +wn19_ms_000090: true +wn19_ms_000100: true +wn19_ms_000110: true +wn19_ms_000120: true +wn19_ms_000130: true +wn19_PK_000010: true +wn19_pk_000020: true +wn19_pk_000030: true +wn19_so_000010: true +wn19_so_000020: true +wn19_so_000030: true +wn19_so_000040: true +wn19_so_000050: true +wn19_so_000060: true +wn19_so_000070: true +wn19_so_000080: true +wn19_so_000090: true +wn19_so_000100: true +wn19_so_000110: true +wn19_so_000120: true +wn19_so_000130: true +wn19_so_000150: true +wn19_so_000160: true +wn19_so_000170: true +wn19_so_000180: true +wn19_so_000190: true +wn19_so_000200: true +wn19_so_000210: true +wn19_so_000220: true +wn19_so_000260: true +wn19_so_000270: true +wn19_so_000280: true +wn19_so_000290: true +wn19_so_000320: true +wn19_so_000330: true +wn19_so_000340: true +wn19_so_000350: true +wn19_so_000360: true +wn19_so_000380: true +wn19_so_000390: true +wn19_so_000400: true +wn19_so_000410: true +wn19_so_000420: true +wn19_so_000430: true +wn19_so_000440: true +wn19_so_000450: true +wn19_uc_000010: true +wn19_ur_000010: true +wn19_ur_000030: true +wn19_ur_000040: true +wn19_ur_000050: true +wn19_ur_000060: true +wn19_ur_000080: true +wn19_ur_000090: true +wn19_ur_000110: true +wn19_ur_000120: true +wn19_ur_000130: true +wn19_ur_000140: true +wn19_ur_000150: true +wn19_ur_000160: true +wn19_ur_000170: true +wn19_ur_000180: true +wn19_ur_000190: true +wn19_ur_000200: true +wn19_ur_000210: true +wn19_ur_000220: true + +# CAT 3 rules +wn19_00_000180: true +wn19_00_000440: true +wn19_00_000460: true +wn19_00_000470: true +wn19_cc_000030: true +wn19_cc_000040: true +wn19_cc_000050: true +wn19_cc_000060: true +wn19_cc_000200: true +wn19_cc_000320: true +wn19_dc_000160: true +wn19_so_000140: true +wn19_so_000370: true + + +# CAT 1 defaults +# This SID is the same for standalone, member, domain controller for 'Administrators' group +wn19_ur_000130_sedebugprivilege: "*S-1-5-32-544" + +# CAT 2 defaults +wn19_00_000020_pass_age: 60 + +wn19_ac_000010_lockoutduration: 15 +wn19_ac_000020_lockoutbadcount: 3 +wn19_ac_000030_resetlockoutcount: 15 +wn19_ac_000040_passwordhistorysize: 24 +wn19_ac_000050_maximumpasswordage: 60 +wn19_ac_000060_minimumpasswordage: 1 +wn19_ac_000070_minimumpasswordlength: 14 + +wn19_so_000030_newadministratorname: renamedadmin +wn19_so_000040_newguestname: renamedguest + +wn19_so_000130_legalnoticetext: | + You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + + By using this IS (which includes any device attached to this IS), you consent to the following conditions: + + -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + + -At any time, the USG may inspect and seize data stored on this IS. + + -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + + -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + + -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. + +wn19_cc_000270_app_maxsize: 32768 +wn19_cc_000280_sec_maxsize: 196608 +wn19_cc_000290_sys_maxsize: 32768 + +wn19_dc_000430_pass_age: 180 + +# CAT 3 defaults +wn19_so_000140_legalnoticecaption: "DoD Notice and Consent Banner" diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 0000000..6e8efd4 --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,4 @@ +--- +- name: reboot_windows + win_reboot: + reboot_timeout: 3600 diff --git a/meta/main.yml b/meta/main.yml new file mode 100644 index 0000000..0975b08 --- /dev/null +++ b/meta/main.yml @@ -0,0 +1,22 @@ +--- +galaxy_info: + author: Ryan Speelman + description: Apply the DISA Windows Server 2019 STIG + company: "MindPoint Group" + license: MIT + min_ansible_version: 2.6 + + platforms: + - name: Windows Server + versions: + - 2019 + + galaxy_tags: + - system + - security + - stig + - hardening + - microsoft + - windows + + dependencies: [] diff --git a/site.yml b/site.yml new file mode 100644 index 0000000..06b93b0 --- /dev/null +++ b/site.yml @@ -0,0 +1,9 @@ +--- +- hosts: demo + vars: + is_container: false + + roles: + - role: "{{ playbook_dir }}" + win2019stig_system_is_container: "{{ is_container | default(false) }}" + win2019stig_skip_for_travis: true diff --git a/tasks/cat1.yml b/tasks/cat1.yml new file mode 100644 index 0000000..c87c57a --- /dev/null +++ b/tasks/cat1.yml @@ -0,0 +1,650 @@ +--- +- name: "HIGH | WN19-00-000010 | Users with Administrative privileges must have separate accounts for administrative duties and normal operational tasks." + block: + - name: "HIGH | WN19-00-000010 | AUDIT | Users with Administrative privileges must have separate accounts for administrative duties and normal operational tasks." + win_shell: echo true + register: wn19_00_000010_audit + check_mode: no + changed_when: no + tags: audit + + - name: "HIGH | WN19-00-000010 | PATCH | Users with Administrative privileges must have separate accounts for administrative duties and normal operational tasks." + win_shell: echo true + changed_when: no + tags: patch + when: + - wn19_00_000010 + - is_implemented + tags: + - WN19-00-000010 + - SV-87869r1 + - SRG-OS-000480-GPOS-00227 + - CCI-000366 + - V-93369 + - high + +- name: "HIGH | WN19-00-000030 | Administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email." + block: + - name: "HIGH | WN19-00-000030 | AUDIT | Administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email." + win_shell: echo true + register: wn19_00_000030_audit + check_mode: no + changed_when: no + tags: audit + + - name: "HIGH | WN19-00-000030 | PATCH | Administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email." + win_shell: echo true + changed_when: no + tags: patch + when: + - wn19_00_000030 + - is_implemented + tags: + - WN19-00-000030 + - V-93205 + - SRG-OS-000480-GPOS-00227 + - SV-103293r1 + - CCI-000366 + - high + +- name: "HIGH | WN19-00-000100 | Systems must be maintained at a supported servicing level." + block: + - name: "HIGH | WN19-00-000100 | AUDIT | Systems must be maintained at a supported servicing level - OS Major Version." + win_reg_stat: + path: HKLM:\Software\Microsoft\Windows NT\CurrentVersion\ + name: CurrentMajorVersionNumber + register: wn19_00_000100_audit_currentmajorversionnumber + failed_when: wn19_00_000100_audit_currentmajorversionnumber.value is not version('10', '>=') + changed_when: no + + - name: "HIGH | WN19-00-000100 | AUDIT | Systems must be maintained at a supported servicing level - OS Build (currentNumber)." + win_reg_stat: + path: HKLM:\Software\Microsoft\Windows NT\CurrentVersion + name: CurrentBuildNumber + register: wn19_00_000100_audit_currentbuildnumber + failed_when: wn19_00_000100_audit_currentbuildnumber.value is not version('17763', '>=') + changed_when: no + + - name: "HIGH | WN19-00-000100 | AUDIT | Systems must be maintained at a supported servicing level - OS Release" + win_reg_stat: + path: HKLM:\Software\Microsoft\Windows NT\CurrentVersion + name: ReleaseId + register: wn19_00_000100_audit_releaseid + failed_when: wn19_00_000100_audit_releaseid.value is not version('1809', '>=') + changed_when: no + + - name: "HIGH | WN19-00-000100 | AUDIT | Systems must be maintained at a supported servicing level - OS Build" + win_reg_stat: + path: HKLM:\Software\Microsoft\Windows NT\CurrentVersion + name: CurrentBuild + register: wn19_00_000100_audit_currentbuild + failed_when: wn19_00_000100_audit_currentbuildnumber.value is not version('17763', '>=') + changed_when: no + when: wn19_00_000100 + tags: + - WN19-00-000100 + - V-93215 + - SRG-OS-000480-GPOS-00227 + - SV-103303r1 + - CCI-000366 + - audit + - high + +- name: "HIGH | WN19-00-000110 | System must use an anti-virus program." + block: + # we have to figure out a common list of AV apps? and even if its installed would have to verify its running and set for auto-start, etc? + + # mcaffee is the approved virus? McAfee VirusScan Enterprise has been replaced by McAfee Endpoint Security. Start your migration now. https://www.mcafee.com/enterprise/en-us/products/virusscan-enterprise.html + # so guess we need to scan for the old and the new in case customers not migrated? + - name: "HIGH | WN19-00-000110 | AUDIT | System must use an anti-virus program." + win_shell: echo true + register: wn19_00_000110_audit + check_mode: no + changed_when: no + tags: audit + + - name: "HIGH | WN19-00-000110 | PATCH | System must use an anti-virus program." + win_shell: echo true + changed_when: no + tags: patch + when: + - wn19_00_000110 + - is_implemented + tags: + - WN19-00-000110 + - V-93217 + - SRG-OS-000480-GPOS-00227 + - SV-103305r1 + - CCI-000366 + - high + +- name: "HIGH | WN19-00-000130 | Local volumes must use a format that supports NTFS attributes." + block: + - name: "HIGH | WN19-00-000130 | AUDIT | Local volumes must use a format that supports NTFS attributes." + win_shell: Get-Volume + register: wn19_00_000130_audit + check_mode: no + changed_when: no + tags: audit + + - name: "HIGH | WN19-00-000130 | PATCH | Local volumes must use a format that supports NTFS attributes." + win_shell: echo true + changed_when: no + when: is_implemented + tags: patch + when: wn19_00_000130 + tags: + - WN19-00-000130 + - V-92991 + - SRG-OS-000080-GPOS-00048 + - SV-103079r1 + - CCI-000213 + - high + +- name: "HIGH | WN19-CC-000210 | AutoPlay must be turned off for non-volume devices." + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Explorer + state: present + value: NoAutoplayfornonVolume + data: 1 + datatype: dword + when: wn19_cc_000210 + tags: + - WN19-CC-000210 + - V-93373 + - SRG-OS-000368-GPOS-00154 + - SV-103459r1 + - CCI-001764 + - patch + - high + +- name: "HIGH | WN19-CC-000220 | Default AutoRun behavior must be configured to prevent AutoRun commands." + win_regedit: + path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer + state: present + value: NoAutorun + data: 1 + datatype: dword + when: wn19_cc_000220 + tags: + - WN19-CC-000220 + - V-93375 + - SRG-OS-000368-GPOS-00154 + - SV-103461r1 + - CCI-001764 + - patch + - high + +- name: "HIGH | WN19-CC-000230 | AutoPlay must be disabled for all drives." + win_regedit: + path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer + state: present + name: NoDriveTypeAutoRun + data: 255 + datatype: dword + when: wn19_cc_000230 + tags: + - WN19-CC-000230 + - V-93377 + - SRG-OS-000368-GPOS-00154 + - SV-103463r1 + - CCI-001764 + - patch + - high + +- name: "HIGH | WN19-DC-000010 | Must only allow administrators responsible for the domain controller to have Administrator rights on the system." + block: + - name: "HIGH | WN19-DC-000010 | AUDIT | Must only allow administrators responsible for the domain controller to have Administrator rights on the system." + win_shell: echo true + register: wn19_dc_000010_audit + check_mode: no + changed_when: no + tags: audit + + - name: "HIGH | WN19-DC-000010 | PATCH | Must only allow administrators responsible for the domain controller to have Administrator rights on the system." + win_shell: echo true + changed_when: no + tags: patch + when: + - wn19_dc_000010 + - ansible_windows_domain_role == "Primary domain controller" + - is_implemented + tags: + - WN19-DC-000010 + - V-93027 + - SRG-OS-000324-GPOS-00125 + - SV-103115r1 + - CCI-002235 + - notimplemented + - notest + - high + +- name: "MEDIUM | WN19-DC-000070 | Permissions on the Active Directory data files must only allow System and Administrators access." + block: + - name: "MEDIUM | WN19-DC-000070 | AUDIT | Permissions on the Active Directory data files must only allow System and Administrators access." + win_shell: echo true + register: wn19_dc_000070_audit + check_mode: no + changed_when: no + tags: audit + + - name: "MEDIUM | WN19-DC-000070 | PATCH | Permissions on the Active Directory data files must only allow System and Administrators access." + win_shell: echo true + changed_when: no + tags: patch + when: + - wn19_dc_000070 + - ansible_windows_domain_role == "Primary domain controller" + - is_implemented + tags: + - WN19-DC-000070 + - V-93029 + - SRG-OS-000324-GPOS-00125 + - SV-103117r1 + - CCI-002235 + - high + +- name: "MEDIUM | WN19-DC-000080 | Active Directory SYSVOL directory must have the proper access control permissions." + block: + - name: "MEDIUM | WN19-DC-000080 | AUDIT | Active Directory SYSVOL directory must have the proper access control permissions." + win_shell: echo true + register: wn19_dc_000080_audit + check_mode: no + changed_when: no + tags: audit + + - name: "MEDIUM | WN19-DC-000080 | PATCH | Active Directory SYSVOL directory must have the proper access control permissions." + win_shell: echo true + changed_when: no + tags: patch + when: + - wn19_dc_000080 + - ansible_windows_domain_role == "Primary domain controller" + - is_implemented + tags: + - WN19-DC-000080 + - V-93029 + - SRG-OS-000324-GPOS-00125 + - SV-103117r1 + - CCI-002235 + - high + +- name: "MEDIUM | WN19-DC-000090 | Active Directory Group Policy objects must have proper access control permissions." + block: + - name: "MEDIUM | WN19-DC-000090 | AUDIT | Active Directory Group Policy objects must have proper access control permissions." + win_shell: echo true + register: wn19_dc_000090_audit + check_mode: no + changed_when: no + tags: audit + + - name: "MEDIUM | WN19-DC-000090 | PATCH | Active Directory Group Policy objects must have proper access control permissions." + win_shell: echo true + changed_when: no + tags: patch + when: + - wn19_dc_000090 + - ansible_windows_domain_role == "Primary domain controller" + - is_implemented + tags: + - WN19-DC-000090 + - V-93033 + - SRG-OS-000324-GPOS-00125 + - SV-103121r1 + - CCI-002235 + - high + +- name: "HIGH | WN19-DC-000100 | The Active Directory Domain Controllers Organizational Unit (OU) object must have the proper access control permissions." + block: + - name: "HIGH | WN19-DC-000100 | AUDIT | The Active Directory Domain Controllers Organizational Unit (OU) object must have the proper access control permissions." + win_shell: echo true + register: wn19_dc_000100_audit + check_mode: no + changed_when: no + tags: audit + + - name: "HIGH | WN19-DC-000100 | PATCH | The Active Directory Domain Controllers Organizational Unit (OU) object must have the proper access control permissions." + win_shell: echo true + changed_when: no + tags: patch + when: + - wn19_dc_000100 + - ansible_windows_domain_role == "Primary domain controller" + - is_implemented + tags: + - WN19-DC-000100 + - V-93035 + - SRG-OS-000324-GPOS-00125 + - SV-103123r1 + - CCI-002235 + - high + +- name: "HIGH | WN19-DC-000110 | Organization created Active Directory Organizational Unit (OU) objects must have proper access control permissions." + block: + - name: "HIGH | WN19-DC-000110 | AUDIT | Organization created Active Directory Organizational Unit (OU) objects must have proper access control permissions." + win_shell: echo true + register: wn19_dc_000110_audit + check_mode: no + changed_when: no + tags: audit + + - name: "HIGH | WN19-DC-000110 | PATCH | Organization created Active Directory Organizational Unit (OU) objects must have proper access control permissions." + win_shell: echo true + changed_when: no + tags: patch + when: + - wn19_dc_000110 + - ansible_windows_domain_role == "Primary domain controller" + - is_implemented + tags: + - WN19-DC-000110 + - SV-88029r1_rule + - SRG-OS-000324-GPOS-00125 + - CCI-002235 + - high + +- name: "HIGH | WN19-DC-000150 | Directory data (outside the root DSE) of a non-public directory must be configured to prevent anonymous access." + block: + - name: "HIGH | WN19-DC-000150 | AUDIT | Directory data (outside the root DSE) of a non-public directory must be configured to prevent anonymous access." + win_shell: echo true + register: wn19_dc_000150_audit + check_mode: no + changed_when: no + tags: audit + + - name: "HIGH | WN19-DC-000150 | PATCH | Directory data (outside the root DSE) of a non-public directory must be configured to prevent anonymous access." + win_shell: echo true + changed_when: no + tags: patch + when: + - wn19_dc_000150 + - ansible_windows_domain_role == "Primary domain controller" + - is_implemented + tags: + - WN19-DC-000150 + - V-93271 + - SRG-OS-000480-GPOS-00227 + - SV-103359r1 + - CCI-000366 + - high + +- name: "HIGH | WN19-DC-000290 | Domain Controller PKI certificates must be issued by the DoD PKI or an approved External Certificate Authority (ECA)." + block: + - name: "HIGH | WN19-DC-000290 | AUDIT | Domain Controller PKI certificates must be issued by the DoD PKI or an approved External Certificate Authority (ECA)." + win_shell: echo true + register: wn19_dc_000290_audit + check_mode: no + changed_when: no + tags: audit + + - name: "HIGH | WN19-DC-000290 | PATCH | Domain Controller PKI certificates must be issued by the DoD PKI or an approved External Certificate Authority (ECA)." + win_shell: echo true + changed_when: no + tags: patch + when: + - wn19_dc_000290 + - is_implemented + - ansible_windows_domain_role == "Primary domain controller" + tags: + - WN19-DC-000290 + - V-93483 + - SRG-OS-000066-GPOS-00034 + - SV-103569r1 + - CCI-000185 + - high + +# add some task/eternal variable for approved CAs, check for DoD and how pull programatically +- name: "HIGH | WN19-DC-000300 | PKI certificates associated with user accounts must be issued by the DoD PKI or an approved External Certificate Authority (ECA)." + block: + - name: "HIGH | WN19-DC-000300 | AUDIT | PKI certificates associated with user accounts must be issued by the DoD PKI or an approved External Certificate Authority (ECA)." + win_shell: echo true + register: wn19_dc_000300_audit + check_mode: no + changed_when: no + tags: audit + + - name: "HIGH | WN19-DC-000300 | PATCH | PKI certificates associated with user accounts must be issued by the DoD PKI or an approved External Certificate Authority (ECA)." + win_shell: echo true + changed_when: no + tags: patch + when: + - wn19_dc_000300 + - ansible_windows_domain_role == "Primary domain controller" + - is_implemented + tags: + - WN19-DC-000300 + - V-93485 + - SRG-OS-000066-GPOS-00034 + - SV-103571r1 + - CCI-000185 + - high + +## populate a dictionary/list from customer +- name: "HIGH | WN19-MS-000010 | Only administrators responsible for the member server or standalone system must have Administrator rights on the system." + block: + - name: "HIGH | WN19-MS-000010 | AUDIT | Only administrators responsible for the member server or standalone system must have Administrator rights on the system." + win_shell: Get-LocalGroupMember -Name 'Administrators' + register: wn19_ms_000010_audit + changed_when: no + - name: "HIGH | WN19-MS-000010 | AUDIT | Only administrators responsible for the member server or standalone system must have Administrator rights on the system." + debug: + msg: + - The following users or groups have Administrator rights on this system + - "{{ wn19_ms_000010_audit.stdout.split('\n') }}" + changed_when: no + when: + - wn19_ms_000010 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - WN19-MS-000010 + - V-93043 + - SRG-OS-000324-GPOS-00125 + - SV-103131r1 + - CCI-002235 + - audit + - high + +- name: "HIGH | WN19-MS-000140 | Must be running Credential Guard on domain-joined member servers." + block: + - name: "HIGH | WN19-MS-000140 | PATCH | Must be running Credential Guard on domain-joined member servers." + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard + state: present + value: "{{ item }}" + data: 1 + datatype: dword + loop: + - EnableVirtualizationBasedSecurity + - RequirePlatformSecurityFeatures + - HypervisorEnforcedCodeIntegrity + - HVCIMATRequired + - LsaCfgFlags + when: + - wn19_ms_000140 + - ansible_windows_domain_role == "Member server" + tags: + - WN19-MS-000140 + - V-93277 + - SRG-OS-000480-GPOS-00227 + - SV-103365r1 + - CCI-000366 + - NeedToTestMemberServer + - patch + - high + +# odd one +# https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-lsad/2a769a08-e023-459f-aebe-4fb3f595c0b7 +- name: "HIGH | WN19-SO-000210 | Must not allow anonymous SID/Name translation." + win_security_policy: + section: System Access + key: LSAAnonymousNameLookup + value: 0 + when: wn19_so_000210 + tags: + - WN19-SO-000210 + - V-93289 + - SRG-OS-000480-GPOS-00227 + - SV-103377r1 + - CCI-000366 + - patch + - high + +- name: "HIGH | WN19-SO-000220 | Must not allow anonymous enumeration of Security Account Manager (SAM) accounts." + win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa + state: present + value: RestrictAnonymousSAM + data: 1 + datatype: dword + when: + - wn19_so_000220 + - ansible_windows_domain_role != "Primary domain controller" + tags: + - WN19-SO-000220 + - V-93291 + - SRG-OS-000480-GPOS-00227 + - SV-103379r1 + - CCI-000366 + - patch + - high + # fails_openscap_borked_regkey_casesensitive + # emailed_disa.letterkenny.re.mbx.stig-customer-support-mailbox@mail.mil + +- name: "HIGH | WN19-SO-000230 | Must not allow anonymous enumeration of shares." + win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa + state: present + value: RestrictAnonymous + data: 1 + datatype: dword + when: wn19_so_000230 + tags: + - WN19-SO-000230 + - V-93537 + - SRG-OS-000138-GPOS-00069 + - SV-103623r1 + - CCI-001090 + - patch + - high + # fails_openscap_borked_regkey_casesensitive + +- name: "MEDIUM | WN19-SO-000240 | Must be configured to prevent anonymous users from having the same permissions as the Everyone group." + win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa + state: present + value: EveryoneIncludesAnonymous + data: 0 + datatype: dword + when: wn19_so_000240 + tags: + - WN19-SO-000240 + - V-93293 + - SRG-OS-000480-GPOS-00227 + - SV-103381r1 + - CCI-000366 + - patch + - high + - borked_regkey_casesensitive + +- name: "HIGH | WN19-SO-000250 | Must restrict anonymous access to Named Pipes and Shares." + win_regedit: + path: HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters + state: present + value: restrictnullsessaccess + data: 1 + datatype: dword + when: wn19_so_000250 + tags: + - WN19-SO-000250 + - V-93539 + - SRG-OS-000138-GPOS-00069 + - SV-103625r1 + - CCI-001090 + - patch + - high + +- name: "HIGH | WN19-SO-000300 | Must be configured to prevent the storage of the LAN Manager hash of passwords." + win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa + state: present + value: NoLMHash + data: 1 + datatype: dword + when: wn19_so_000300 + tags: + - WN19-SO-000300 + - V-93467 + - SRG-OS-000073-GPOS-00041 + - SV-103553r1 + - CCI-000196 + - patch + - high + # fails_openscap_borked_regkey_casesensitive + +- name: "HIGH | WN19-SO-000310 | LAN Manager authentication level must be configured to send NTLMv2 response only and to refuse LM and NTLM." + win_regedit: + path: HKLM:\System\CurrentControlSet\Control\Lsa + state: present + value: LmCompatibilityLevel + data: 5 + datatype: dword + when: wn19_so_000310 + tags: + - WN19-SO-000310 + - V-93301 + - SRG-OS-000480-GPOS-00227 + - SV-103389r1 + - CCI-000366 + - patch + - high + +- name: "HIGH | WN19-UR-000020 | Act as part of the operating system user right must not be assigned to any groups or accounts." + win_user_right: + name: SeTcbPrivilege + users: + action: set + when: wn19_ur_000020 + tags: + - WN19-UR-000020 + - V-93051 + - SRG-OS-000324-GPOS-00125 + - SV-103139r1 + - CCI-002235 + - patch + - high + +- name: "HIGH | WN19-UR-000060 | Create a token object user right must not be assigned to any groups or accounts." + win_security_policy: + section: Privilege Rights + key: SeCreateTokenPrivilege + value: "" + when: wn19_ur_000060 + tags: + - WN19-UR-000060 + - V-93057 + - SRG-OS-000324-GPOS-00125 + - SV-103145r1 + - CCI-002235 + - patch + - high + +# fails openscap - the v1r10 xml checks for "Administrators" string but secedit uses the SIDs thus +# "SeDebugPrivilege = *S-1-5-32-544" is Administrators (openscap fails) +# emailed_disa.letterkenny.re.mbx.stig-customer-support-mailbox@mail.mil +# SCC tool works +- name: "HIGH | WN19-UR-000100 | Debug programs: user right must only be assigned to the Administrators group." + win_user_right: + name: SeDebugPrivilege + users: Administrators + action: set + when: wn19_ur_000100 + tags: + - WN19-UR-000100 + - V-93065 + - SRG-OS-000324-GPOS-00125 + - SV-103153r1 + - CCI-002235 + - patch + - high + + diff --git a/tasks/cat2.yml b/tasks/cat2.yml new file mode 100644 index 0000000..31ae4b4 --- /dev/null +++ b/tasks/cat2.yml @@ -0,0 +1,5552 @@ +--- +# enumerating on DC is different than standalone +- name: "MEDIUM | WN19-00-000020 | Passwords for the built-in Administrator account must be changed at least every {{ wn19_00_000020_pass_age }} days." + block: + - name: "MEDIUM | WN19-00-000020 | AUDIT - DOMAIN CONTROLLER | Passwords for the built-in Administrator account must be changed at least every {{ wn19_00_000020_pass_age }} days." + win_shell: "Get-ADUser -Filter * -Property PasswordLastSet | Where SID -like S-1-5-21-*-500 | Where-Object {$_.PasswordLastSet -lt ((Get-Date).AddDays(-{{ wn19_00_000020_pass_age }}))} | Select Name,PasswordLastSet" + # win_shell: "Get-ADUser krbtgt -Property PasswordLastSet | Where-Object {$_.PasswordLastSet -lt ((Get-Date).AddDays(-{{ WN19_dc_000430_pass_age }}))} | Select-Object -ExpandProperty PasswordLastSet" + register: wn19_00_000020_audit_dc + check_mode: no + changed_when: wn19_00_000020_audit_dc.stdout != "" + when: ansible_windows_domain_role == "Primary domain controller" + + - name: "MEDIUM | WN19-00-000020 | AUDIT - DOMAIN CONTROLLER | Passwords for the built-in Administrator account must be changed at least every {{ wn19_00_000020_pass_age }} days." + debug: + msg: + - "The following account appears to be the default admin account and the password does not meet the control specific age of {{ wn19_00_000020_pass_age }}" + - "{{ WN19_00_000020_audit_dc.stdout.split('\n') }}" + when: + - not wn19_00_000020_audit_dc is skipped + - wn19_00_000020_audit_dc.stdout != "" + changed_when: yes + + - name: "MEDIUM | WN19-00-000020 | AUDIT - DOMAIN MEMBERS OR STANDALONE | Passwords for the built-in Administrator account must be changed at least every {{ wn19_00_000020_pass_age }} days." + win_shell: "Get-Localuser -Name * | Select * | Where SID -like S-1-5-21-*-500 | Where-Object {$_.PasswordLastSet -lt ((Get-Date).AddDays(-{{ wn19_00_000020_pass_age }}))} | Select Name,PasswordLastSet" + register: wn19_00_000020_audit_dm_sa + changed_when: wn19_00_000020_audit_dm_sa.stdout != "" + when: not ansible_windows_domain_role == "Primary domain controller" + + - name: "MEDIUM | WN19-00-000020 | AUDIT - DOMAIN MEMBERS OR STANDALONE | Passwords for the built-in Administrator account must be changed at least every {{ wn19_00_000020_pass_age }} days." + debug: + msg: + - "The following account appears to be the default admin account and the password does not meet the control specific age of {{ wn19_00_000020_pass_age }}" + - "{{ wn19_00_000020_audit_dm_sa.stdout.split('\n') }}" + when: + - wn19_00_000020_audit_dm_sa is defined + - wn19_00_000020_audit_dm_sa.stdout != "" + changed_when: yes + when: wn19_00_000020 + tags: + - WN19-00-000020 + - SV-103457r1 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - NeedToTestDomainController + - audit + - medium + +- name: "MEDIUM | WN19-00-000040 | Members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks." + block: + - name: "MEDIUM | WN19-00-000040 | AUDIT STAND-ALONE AND MEMBER SERVERS | Members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks." + win_shell: Get-LocalGroupMember -Name 'Backup Operators' + register: wn19_00_000040_audit + check_mode: no + changed_when: no + + - name: "MEDIUM | WN19-00-000040 | AUDIT STAND-ALONE AND MEMBER SERVERS | Members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks." + debug: + msg: + - The accounts listed are members of the Backup Operators group + - "{{ wn19_00_000040_audit.stdout.split('\n') }}" + when: + - not wn19_00_000040_audit is skipped + - wn19_00_000040_audit.stdout != "" + changed_when: no + when: + - wn19_00_000040 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - WN19-00-000040 + - V-93207 + - SRG-OS-000480-GPOS-00227 + - SV-103295r1 + - CCI-000366 + - audit + - medium + +- name: "MEDIUM | WN19-00-000050 | Manually managed application account passwords must be at least 15 characters in length." + block: + - name: "MEDIUM | WN19-00-000050 | AUDIT | Manually managed application account passwords must be at least 15 characters in length." + win_shell: echo true + register: wn19_00_000050_audit + check_mode: no + changed_when: no + tags: audit + + - name: "MEDIUM | WN19-00-000050 | PATCH | Manually managed application account passwords must be at least 15 characters in length." + win_shell: echo true + changed_when: no + tags: patch + when: + - wn19_00_000050 + - is_implemented + tags: + - WN19-00-000050 + - V-93461 + - SRG-OS-000078-GPOS-00046 + - SV-103547r1 + - CCI-000205 + - medium + # how to make this list? + +- name: "MEDIUM | WN19-00-000060 | Manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization." + block: + - name: "MEDIUM | WN19-00-000060 | AUDIT | Manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization." + win_shell: echo true + register: wn19_00_000060_audit + check_mode: no + changed_when: no + tags: audit + + - name: "MEDIUM | WN19-00-000060 | PATCH | Manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization." + win_shell: echo true + changed_when: no + tags: patch + when: + - wn19_00_000060 + - is_implemented + tags: + - WN19-00-000060 + - V-93209 + - SRG-OS-000480-GPOS-00227 + - SV-103297r1 + - CCI-000366 + - medium + # how to make this list? + + +- name: "MEDIUM | WN19-00-000070 | Shared user accounts must not be permitted on the system." + block: + - name: "MEDIUM | WN19-00-000070 | AUDIT | Shared user accounts must not be permitted on the system." + win_shell: echo true + register: wn19_00_000070_audit + check_mode: no + changed_when: no + tags: audit + + - name: "MEDIUM | WN19-00-000070 | PATCH | Shared user accounts must not be permitted on the system." + win_shell: echo true + changed_when: no + tags: patch + when: + - wn19_00_000070 + - is_implemented + tags: + - WN19-00-000070 + - V-93437 + - SRG-OS-000104-GPOS-00051 + - SV-103523r1 + - CCI-000764 + - medium + # org has to supply a list? shared acct must be in SSP? + +- name: "MEDIUM | WN19-00-000080 | Must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs." + block: + - name: "MEDIUM | WN19-00-000080 | AUDIT | Must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs." + win_shell: echo true + register: wn19_00_000080_audit + check_mode: no + changed_when: no + tags: audit + + - name: "MEDIUM | WN19-00-000080 | PATCH | Must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs." + win_shell: echo true + changed_when: no + tags: patch + when: + - wn19_00_000080 + - is_implemented + tags: + - WN19-00-000080 + - V-93379 + - SRG-OS-000370-GPOS-00155 + - SV-103465r1 + - CCI-001774 + - medium + # Get-AppLockerPolicy -Effective + +- name: "MEDIUM | WN19-00-000090 | Domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use." + block: + - name: "MEDIUM | WN19-00-000090 | AUDIT | Domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use." + win_shell: echo true + register: wn19_00_000090_audit + check_mode: no + changed_when: no + tags: audit + + - name: "MEDIUM | WN19-00-000090 | PATCH | Domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use." + win_shell: echo true + changed_when: no + tags: patch + # Current hardware and virtual environments may not support virtualization-based security features, including Credential Guard, due to specific supporting requirements including a TPM, UEFI with Secure Boot, and the capability to run the Hyper-V feature within a virtual machine. + when: + - wn19_00_000090 + - is_implemented + - ansible_windows_domain_role == "Member server" + tags: + - WN19-00-000090 + - V-93213 + - SRG-OS-000480-GPOS-00227 + - SV-103301r1 + - CCI-000366 + - medium + # wmic /namespace:\\root\cimv2\security\microsofttpm path win32_tpm get * + # if not enabled see "No Instance(s) Available." ? + +- name: "MEDIUM | WN19-00-000120 | Servers must have a host-based intrusion detection or prevention system." + block: + - name: "MEDIUM | WN19-00-000120 | AUDIT | Servers must have a host-based intrusion detection or prevention system." + win_shell: echo true + register: wn19_00_000120_audit + check_mode: no + changed_when: no + tags: audit + + - name: "MEDIUM | WN19-00-000120 | PATCH | Servers must have a host-based intrusion detection or prevention system." + win_shell: echo true + changed_when: no + tags: patch + when: + - wn19_00_000120 + - is_implemented + tags: + - WN19-00-000120 + - V-93219 + - SRG-OS-000480-GPOS-00227 + - SV-103307r1 + - CCI-000366 + - medium + # think this is mcafee but need install and figure out paths for AV vs HIDS and/or running services? + + +- name: "MEDIUM | WN19-00-000140 | Permissions for the system drive root directory usually C:\ must conform to minimum requirements." + block: + - name: "MEDIUM | WN19-00-000140 | AUDIT | Permissions for the system drive root directory usually C:\ must conform to minimum requirements." + win_shell: echo true + #https://vaulted.io/library/disa-stigs-srgs/windows_server_2019_stig/V-93293 + register: wn19_00_000140_audit + check_mode: no + changed_when: no + tags: audit + + - name: "MEDIUM | WN19-00-000140 | PATCH | Permissions for the system drive root directory usually C:\ must conform to minimum requirements." + win_shell: echo true + changed_when: no + tags: patch + when: + - wn19_00_000140 + - is_implemented + tags: + - WN19-00-000140 + - V-93019 + - SRG-OS-000312-GPOS-00122 + - SV-103107r1 + - CCI-002165 + - medium + +- name: "MEDIUM | WN19-00-000150 | Permissions for program file directories must conform to minimum requirements." + block: + - name: "MEDIUM | WN19-00-000150 | AUDIT | Permissions for program file directories must conform to minimum requirements." + win_shell: echo true + register: wn19_00_000150_audit + check_mode: no + changed_when: no + tags: audit + + - name: "MEDIUM | WN19-00-000150 | PATCH | Permissions for program file directories must conform to minimum requirements." + win_shell: echo true + changed_when: no + tags: patch + when: + - wn19_00_000150 + - is_implemented + tags: + - WN19-00-000150 + - V-93021 + - SRG-OS-000312-GPOS-00122 + - SV-103109r1 + - CCI-002165 + - medium + +- name: "MEDIUM | WN19-00-000160 | Permissions for the Windows installation directory must conform to minimum requirements." + block: + - name: "MEDIUM | WN19-00-000160 | AUDIT | Permissions for the Windows installation directory must conform to minimum requirements." + win_shell: echo true + register: wn19_00_000160_audit + check_mode: no + changed_when: no + tags: audit + + - name: "MEDIUM | WN19-00-000160 | PATCH | Permissions for the Windows installation directory must conform to minimum requirements." + win_shell: echo true + changed_when: no + tags: patch + when: + - wn19_00_000160 + - is_implemented + tags: + - WN19-00-000160 + - V-93023 + - SRG-OS-000312-GPOS-00122 + - SV-103111r1 + - CCI-002165 + - medium + +- name: "MEDIUM | WN19-00-000170 | Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained." + block: + - name: "MEDIUM | WN19-00-000170 | AUDIT | Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained." + win_shell: echo true + register: wn19_00_000170_audit + check_mode: no + changed_when: no + tags: audit + + - name: "MEDIUM | WN19-00-000170 | PATCH | Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained." + win_shell: echo true + changed_when: no + tags: patch + when: + - wn19_00_000170 + - is_implemented + tags: + - WN19-00-000170 + - V-93025 + - SRG-OS-000324-GPOS-00125 + - SV-103113r1 + - CCI-002235 + - medium + +- name: "MEDIUM | WN19-00-000190 | Outdated or unused accounts must be removed from the system or disabled." + block: + - name: "MEDIUM | WN19-00-000190 | AUDIT | Outdated or unused accounts must be removed from the system or disabled." + win_shell: echo true + register: wn19_00_000190_audit + check_mode: no + changed_when: no + tags: audit + + - name: "MEDIUM | WN19-00-000190 | PATCH | Outdated or unused accounts must be removed from the system or disabled." + win_shell: echo true + changed_when: no + tags: patch + when: + - wn19_00_000190 + - is_implemented + tags: + - WN19-00-000190 + - V-93457 + - SRG-OS-000118-GPOS-00060 + - SV-103543r1 + - CCI-000795 + - medium + +- name: "MEDIUM | WN19-00-000200 | Accounts must require passwords." + block: + - name: "MEDIUM | WN19-00-000200 | AUDIT - DOMAIN CONTROLLER | Accounts must require passwords." + win_shell: Get-Aduser -Filter "(Passwordnotrequired -eq 'True') -and (Enabled -eq 'True')" | Select Name,Passwordnotrequired,Enabled + register: wn19_00_000200_audit_dc + check_mode: no + changed_when: wn19_00_000200_audit_dc.stdout != "" + when: ansible_windows_domain_role == "Primary domain controller" + + - name: "MEDIUM | WN19-00-000200 | AUDIT - DOMAIN CONTROLLER | Accounts must require passwords." + debug: + msg: + - The accounts listed are do not require a password and are currently enabled + - "{{ wn19_00_000200_audit_dc.stdout.split('\n') }}" + when: + - not wn19_00_000200_audit_dc is skipped + - wn19_00_000200_audit_dc.stdout != "" + changed_when: yes + + - name: "MEDIUM | WN19-00-000200 | AUDIT - DOMAIN MEMBERS OR STANDALONE | Accounts must require passwords." + win_shell: Get-LocalUser | Where-Object {($_.PasswordRequired -ne 'True' -and $_.Enabled -eq 'True')} | Select Name,PasswordRequired,Enabled + register: wn19_00_000200_audit_dm_sa + check_mode: no + changed_when: wn19_00_000200_audit_dm_sa.stdout != "" + when: not ansible_windows_domain_role == "Primary domain controller" + + - name: "MEDIUM | WN19-00-000200 | AUDIT -DOMAIN MEMBERS OR STANDALONE | Accounts must require passwords." + debug: + msg: + - The accounts listed are do not require a password and are currently enabled + - "{{ wn19_00_000200_audit_dm_sa.stdout.split('\n') }}" + when: + - not wn19_00_000200_audit_dm_sa is skipped + - wn19_00_000200_audit_dm_sa.stdout != "" + changed_when: yes + when: wn19_00_000200 + tags: + - WN19-00-000200 + - V-93439 + - SRG-OS-000104-GPOS-00051 + - SV-103525r2 + - CCI-000764 + - medium + - audit + +- name: "MEDIUM | WN19-00-000210 | Passwords must be configured to expire." + block: + - name: "MEDIUM | WN19-00-000210 | AUDIT | Passwords must be configured to expire." + win_shell: | + Get-CimInstance -Class Win32_Useraccount -Filter "PasswordExpires=False and LocalAccount=True" | + Where-Object -FilterScript {$_.PasswordExpires -EQ $False -AND $_.Disabled -EQ $False} | + Format-Table -Property Name,PasswordExpires,Disabled,LocalAccount + register: wn19_00_000210_audit + check_mode: no + changed_when: no + tags: audit + + - name: "MEDIUM | WN19-00-000210 | PATCH | Passwords must be configured to expire." + win_shell: echo true + changed_when: no + when: is_implemented + tags: patch + when: wn19_00_000210 + tags: + - WN19-00-000210 + - V-93475 + - SRG-OS-000076-GPOS-00044 + - SV-103561r1 + - medium + +- name: "MEDIUM | WN19-00-000220 | System files must be monitored for unauthorized changes." + block: + - name: "MEDIUM | WN19-00-000220 | AUDIT | System files must be monitored for unauthorized changes." + win_shell: echo true + register: wn19_00_000220_audit + check_mode: no + changed_when: no + tags: audit + + - name: "MEDIUM | WN19-00-000220 | PATCH | System files must be monitored for unauthorized changes." + win_shell: echo true + changed_when: no + tags: patch + when: + - wn19_00_000220 + - is_implemented + tags: + - WN19-00-000220 + - V-93203 + - SRG-OS-000363-GPOS-00150 + - SV-103291r1 + - CCI-001744 + - medium + # Some third party software to monitor files + +- name: "MEDIUM | WN19-00-000230 | Non-system-created file shares on a system must limit access to groups that require it." + block: + - name: "MEDIUM | WN19-00-000230 | AUDIT | Non-system-created file shares on a system must limit access to groups that require it." + win_shell: Get-SmbShare | Where-Object -FilterScript {$_.Special -EQ $False} + register: wn19_00_000230_audit + check_mode: no + changed_when: no + tags: audit + + - name: "MEDIUM | WN19-00-000230 | PATCH | Non-system-created file shares on a system must limit access to groups that require it." + win_shell: echo true + changed_when: no + when: is_implemented + tags: patch + when: wn19_00_000230 + tags: + - WN19-00-000230 + - V-93531 + - SRG-OS-000138-GPOS-00069 + - SV-103617r1 + - CCI-001090 + - medium + +# https://stackoverflow.com/questions/31049454/how-to-retrieve-recursively-any-files-with-a-specific-extensions-in-powershell/31049571 +- name: "MEDIUM | WN19-00-000240 | must have software certificate installation files removed." + block: + - name: "MEDIUM | WN19-00-000240 | AUDIT | must have software certificate installation files removed." + win_find: + paths: c:\ + patterns: ['*.p12', '*.pfx'] + hidden: true + recurse: true + follow: true + register: wn19_00_000240_audit + check_mode: no + changed_when: no + when: long_running + tags: audit + + - name: "MEDIUM | WN19-00-000240 | PATCH | must have software certificate installation files removed." + win_shell: echo true + changed_when: no + when: is_implemented + tags: patch + when: wn19_00_000240 + tags: + - WN19-00-000240 + - V-93221 + - SRG-OS-000480-GPOS-00227 + - SV-103309r2 + - CCI-000366 + - medium + - NotTested + # do we need async; its very long running to search filesystems + # get an array of drive letters to search? + +- name: "MEDIUM | WN19-00-000250 | Systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest." + block: + - name: "MEDIUM | WN19-00-000250 | AUDIT | Systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest." + win_shell: echo true + register: wn19_00_000250_audit + check_mode: no + changed_when: no + tags: audit + + - name: "MEDIUM | WN19-00-000250 | PATCH | Systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest." + win_shell: echo true + changed_when: no + tags: patch + when: + - wn19_00_000250 + - is_implemented + tags: + - WN19-00-000250 + - V-93515 + - SRG-OS-000185-GPOS-00079 + - SV-103601r1 + - CCI-001199 + - CCI-002475 + - CCI-002476 + - medium + +- name: "MEDIUM | WN19-00-000260 | Must implement protection methods such as TLS, encrypted VPNs, or IPsec if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process." + block: + - name: "MEDIUM | WN19-00-000260 | AUDIT | Must implement protection methods such as TLS, encrypted VPNs, or IPsec if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process." + win_shell: echo true + register: wn19_00_000260_audit + check_mode: no + changed_when: no + tags: audit + + - name: "MEDIUM | WN19-00-000260 | PATCH | Must implement protection methods such as TLS, encrypted VPNs, or IPsec if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process." + win_shell: echo true + changed_when: no + tags: patch + when: + - wn19_00_000260 + - is_implemented + tags: + - WN19-00-000260 + - V-93543 + - SRG-OS-000425-GPOS-00189 + - SV-103629r1 + - CCI-002420 + - CCI-002422 + - medium + +- name: "MEDIUM | WN19-00-000270 | Must have the roles and features required by the system documented." + block: + - name: "MEDIUM | WN19-00-000270 | AUDIT | Must have the roles and features required by the system documented." + win_shell: Get-WindowsFeature | Where-Object -FilterScript {$_.Installed -EQ $True} + register: wn19_00_000270_audit + check_mode: no + changed_when: no + tags: audit + + - name: "MEDIUM | WN19-00-000270 | PATCH | Must have the roles and features required by the system documented." + win_shell: echo true + changed_when: no + when: is_implemented + tags: patch + when: wn19_00_000270 + tags: + - WN19-00-000270 + - V-93381 + - SRG-OS-000095-GPOS-00049 + - SV-103467r1 + - CCI-000381 + - medium + +- name: "MEDIUM | WN19-00-000280 | Must have a host-based firewall installed and enabled." + block: + - name: "MEDIUM | WN19-00-000280 | AUDIT | Must have a host-based firewall installed and enabled." + win_shell: echo true + register: wn19_00_000280_audit + check_mode: no + changed_when: no + tags: audit + + - name: "MEDIUM | WN19-00-000280 | PATCH | Must have a host-based firewall installed and enabled." + win_shell: echo true + changed_when: no + tags: patch + when: + - wn19_00_000280 + - is_implemented + tags: + - WN19-00-000280 + - V-93571 + - SRG-OS-000480-GPOS-00231 + - SV-103657r1 + - CCI-000366 + - CCI-002080 + - medium + +- name: "MEDIUM | WN19-00-000290 | Must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Host Based Security System (HBSS) is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP)." + block: + - name: "MEDIUM | WN19-00-000290 | AUDIT | Must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Host Based Security System (HBSS) is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP)." + win_shell: echo true + register: wn19_00_000290_audit + check_mode: no + changed_when: no + tags: audit + + - name: "MEDIUM | WN19-00-000290 | PATCH | Must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Host Based Security System (HBSS) is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP)." + win_shell: echo true + changed_when: no + tags: patch + when: + - wn19_00_000290 + - is_implemented + tags: + - WN19-00-000290 + - V-93567 + - SRG-OS-000191-GPOS-00080 + - SV-103653r1 + - CCI-001233 + - medium + +- name: "MEDIUM | WN19-00-000300 | Must automatically remove or disable temporary user accounts after 72 hours." + block: + - name: "MEDIUM | WN19-00-000300 | AUDIT | Must automatically remove or disable temporary user accounts after 72 hours." + win_shell: echo true + register: wn19_00_000300_audit + check_mode: no + changed_when: no + tags: audit + + - name: "MEDIUM | WN19-00-000300 | PATCH | Must automatically remove or disable temporary user accounts after 72 hours." + win_shell: echo true + changed_when: no + tags: patch + when: + - wn19_00_000300 + - is_implemented + tags: + - WN19-00-000300 + - V-92975 + - SRG-OS-000002-GPOS-00002 + - SV-103063r1 + - CCI-000016 + - medium + #Speelman | requires input of the names of temporary user account + +- name: "MEDIUM | WN19-00-000310 | Must automatically remove or disable temporary user accounts after 72 hours." + block: + - name: "MEDIUM | WN19-00-000310 | AUDIT | Must automatically remove or disable temporary user accounts after 72 hours." + win_shell: echo true + register: wn19_00_000310_audit + check_mode: no + changed_when: no + tags: audit + + - name: "MEDIUM | WN19-00-000310 | PATCH | Must automatically remove or disable temporary user accounts after 72 hours." + win_shell: echo true + changed_when: no + tags: patch + when: + - wn19_00_000310 + - is_implemented + tags: + - WN19-00-000310 + - V-92975 + - SRG-OS-000002-GPOS-00002 + - SV-103063r1 + - CCI-000016 + - medium + # how? prompt customer provided name list? scan against local account names for unknown ones? + #Speelman | requires input of the names of emergency user account + #Speelman | Could add variable instead of hardcoding 72 hours + +- name: "MEDIUM | WN19-00-000320 | Must not have the Fax Server role installed." + win_feature: + name: Fax + state: absent + notify: reboot_windows + when: wn19_00_000320 + tags: + - WN19-00-000320 + - V-93383 + - SRG-OS-000095-GPOS-00049 + - SV-103469r1 + - CCI-000381 + - patch + - medium + +- name: "MEDIUM | WN19-00-000330 | The Microsoft FTP service must not be installed unless required." + win_feature: + name: Web-Ftp-Server + state: absent + notify: reboot_windows + when: wn19_00_000330 + tags: + - WN19-00-000330 + - V-93421 + - SRG-OS-000096-GPOS-00050 + - SV-103507r1 + - CCI-000382 + - patch + - medium + +- name: "MEDIUM | WN19-00-000340 | The Peer Name Resolution Protocol must not be installed." + win_feature: + name: PNRP + state: absent + notify: reboot_windows + when: wn19_00_000340 + tags: + - WN19-00-000340 + - V-93385 + - SRG-OS-000095-GPOS-00049 + - SV-103471r1 + - CCI-000381 + - patch + - medium + +- name: "MEDIUM | WN19-00-000350 | Simple TCP/IP Services must not be installed." + win_feature: + name: Simple-TCPIP + state: absent + when: wn19_00_000350 + tags: + - WN19-00-000350 + - V-93387 + - SRG-OS-000095-GPOS-00049 + - SV-103473r1 + - CCI-000381 + - patch + - medium + +- name: "MEDIUM | WN19-00-000360 | The Telnet Client must not be installed." + win_feature: + name: Telnet-Client + state: absent + when: wn19_00_000360 + tags: + - WN19-00-000360 + - V-93423 + - SRG-OS-000096-GPOS-00050 + - SV-103509r1 + - CCI-000382 + - patch + - medium + +- name: "MEDIUM | WN19-00-000370 | The TFTP Client must not be installed." + win_feature: + name: TFTP-Client + state: absent + when: wn19_00_000370 + tags: + - WN19-00-000370 + - V-93389 + - SRG-OS-000095-GPOS-00049 + - SV-103475r1 + - CCI-000381 + - patch + - medium + +- name: "MEDIUM | WN19-00-000380 | The Server Message Block (SMB) v1 protocol must be uninstalled." + win_feature: + name: FS-SMB1 + state: absent + register: wn19_00_000380_register + notify: reboot_windows + when: wn19_00_000380 + tags: + - WN19-00-000380 + - V-93391 + - SRG-OS-000095-GPOS-00049 + - SV-103477r1 + - CCI-000381 + - patch + - medium + +- name: "MEDIUM | WN19-00-000390 | Must have the Server Message Block (SMB) v1 protocol disabled on the SMB server." + win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters + name: SMB1 + data: 0x00000000 + type: dword + state: present + notify: reboot_windows + when: wn19_00_000390 + tags: + - WN19-00-000390 + - V-93393 + - SRG-OS-000095-GPOS-00049 + - SV-103479r1 + - CCI-000381 + - medium + - patch + +- name: "MEDIUM | WN19-00-000400 | Must have the Server Message Block (SMB) v1 protocol disabled on the SMB server." + win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Services\mrxsmb10 + name: Start + data: 0x00000004 + type: dword + state: present + notify: reboot_windows + when: wn19_00_000400 + tags: + - WN19-00-000400 + - V-93395 + - SRG-OS-000095-GPOS-00049 + - SV-103481r1 + - CCI-000381 + - patch + - medium + +- name: "MEDIUM | WN19-00-000410 | Must not have Windows PowerShell 2.0 installed." + win_feature: + name: PowerShell-V2 + state: absent + when: wn19_00_000410 + tags: + - WN19-00-000410 + - V-93397 + - SRG-OS-000095-GPOS-00049 + - SV-103483r1 + - CCI-000381 + - medium + - patch + +- name: "MEDIUM | WN19-00-000420 | FTP servers must be configured to prevent anonymous logons." + block: + - name: "MEDIUM | WN19-00-000420 | AUDIT | FTP servers must be configured to prevent anonymous logons." + win_shell: echo true + register: wn16_00_000430_audit + check_mode: no + changed_when: no + tags: audit + + - name: "MEDIUM | WN19-00-000420 | PATCH | FTP servers must be configured to prevent anonymous logons." + win_shell: echo true + changed_when: no + tags: patch + when: + - wn19_00_000420 + - is_implemented + tags: + - WN19-00-000420 + - V-93223 + - SRG-OS-000480-GPOS-00227 + - SV-103311r1 + - CCI-000366 + - medium + +- name: "MEDIUM | WN19-00-000430 | FTP servers must be configured to prevent access to the system drive." + block: + - name: "MEDIUM | WN19-00-000430 | AUDIT | FTP servers must be configured to prevent access to the system drive." + win_shell: echo true + register: wn16_00_000440_audit + check_mode: no + changed_when: no + tags: audit + + - name: "MEDIUM | WN19-00-000430 | PATCH | FTP servers must be configured to prevent access to the system drive." + win_shell: echo true + changed_when: no + tags: patch + when: + - wn19_00_000430 + - is_implemented + tags: + - WN19-00-000430 + - V-93225 + - SRG-OS-000480-GPOS-00227 + - SV-103313r1 + - CCI-000366 + - medium + +- name: "MEDIUM | WN19-00-000450 | Orphaned security identifiers (SIDs) must be removed from user rights" + block: + - name: "MEDIUM | WN19-00-000450 | AUDIT | Orphaned security identifiers (SIDs) must be removed from user rights" + win_shell: echo true + register: wn19_00_000450_audit + check_mode: no + changed_when: no + tags: audit + + - name: "MEDIUM | WN19-00-000450 | PATCH | Orphaned security identifiers (SIDs) must be removed from user rights" + win_shell: echo true + changed_when: no + tags: patch + when: + - wn19_00_000450 + - is_implemented + tags: + - WN19-00-000450 + - V-93227 + - SRG-OS-000480-GPOS-00227 + - SV-103315r1 + - CCI-000366 + - medium + # https://www.stigviewer.com/stig/windows_server_2016/2019-01-16/finding/V-78127 + +# below task is dependent on WN19-AC-000020 and WN19-AC-000030, maybe custom fail when known error if WN19-AC-000020 not set? "The key 'LockoutDuration' in section 'System Access' is not a valid key, cannot set this value" +- name: "MEDIUM | WN19-AC-000010 | Account lockout duration must be configured to 15 minutes or greater." + block: + - name: "MEDIUM | WN19-AC-000010 | AUDIT | Account lockout duration must be configured to 15 minutes or greater." + assert: + that: wn19_ac_000010_lockoutduration | int is version('15', '<=') + fail_msg: "Must have the period of time before the bad logon counter is reset configured to 15 minutes or greater and variable wn19_ac_000010_lockoutduration is set to {{ wn19_ac_000010_lockoutduration }}" + ignore_errors: yes + tags: audit + + - name: "MEDIUM | WN19-AC-000010 | PATCH | Account lockout duration must be configured to 15 minutes or greater." + win_security_policy: + section: System Access + key: LockoutDuration + value: "{{ wn19_ac_000010_lockoutduration }}" + tags: patch + when: wn19_ac_000010 | bool + tags: + - WN19-AC-000010 + - V-93145 + - SRG-OS-000329-GPOS-00128 + - SV-103233r1 + - CCI-002238 + - medium + +- name: "MEDIUM | WN19-AC-000020 | Must have the number of allowed bad logon attempts configured to three or less." + win_security_policy: + section: System Access + key: LockoutBadCount + value: "{{ wn19_ac_000020_lockoutbadcount }}" + when: wn19_ac_000020 + tags: + - WN19-AC-000020 + - V-93141 + - SRG-OS-000021-GPOS-00005 + - SV-103229r1 + - CCI-000044 + - medium + - patch + +# below task is dependent on WN16-AC-000020, maybe custom fail when known error if WN16-AC-000020 not set? "The key 'ResetLockoutCount' in section 'System Access' is not a valid key, cannot set this value" +- name: "MEDIUM | WN19-AC-000030 | Must have the period of time before the bad logon counter is reset configured to 15 minutes or greater." + block: + - name: "MEDIUM | WN19-AC-000030 | AUDIT | Must have the period of time before the bad logon counter is reset configured to 15 minutes or greater." + assert: + that: wn19_ac_000030_resetlockoutcount | int is version('15', '>=') + fail_msg: "Must have the period of time before the bad logon counter is reset configured to 15 minutes or greater and variable wn19_ac_000030_resetlockoutcount is set to {{ wn19_ac_000030_resetlockoutcount }}" + ignore_errors: yes + tags: audit + + - name: "MEDIUM | WN19-AC-000030 | PATCH | Must have the period of time before the bad logon counter is reset configured to 15 minutes or greater." + win_security_policy: + section: System Access + key: ResetLockoutCount + value: "{{ wn19_ac_000030_resetlockoutcount }}" + tags: patch + when: wn19_ac_000030 | bool + tags: + - WN19-AC-000030 + - V-93143 + - SRG-OS-000021-GPOS-00005 + - SV-103231r1 + - CCI-000044 + - CCI-002238 + - medium + +- name: "MEDIUM | WN19-AC-000040 | Password history must be configured to 24 passwords remembered." + block: + - name: "MEDIUM | WN19-AC-000040 | AUDIT | Password history must be configured to 24 passwords remembered." + assert: + that: wn19_ac_000040_passwordhistorysize | int is version('24', '>=') + fail_msg: "Password history must be configured to 24 passwords remembered and variable wn19_ac_000040_passwordhistorysize is set to {{ wn19_ac_000040_passwordhistorysize }}" + ignore_errors: yes + tags: audit + + - name: "MEDIUM | WN19-AC-000040 | PATCH | Password history must be configured to 24 passwords remembered." + win_security_policy: + section: System Access + key: PasswordHistorySize + value: "{{ wn19_ac_000040_passwordhistorysize }}" + tags: patch + when: wn19_ac_000040 + tags: + - WN19-AC-000040 + - V-93479 + - SRG-OS-000077-GPOS-00045 + - SV-103565r1 + - CCI-000200 + - medium + +- name: "MEDIUM | WN19-AC-000050 | Maximum password age must be configured to 60 days or less." + block: + - name: "MEDIUM | WN19-AC-000050 | AUDIT | Maximum password age must be configured to 60 days or less." + assert: + that: wn19_ac_000050_maximumpasswordage | int is version('60', '<=') + fail_msg: "Maximum password age must be configured to 60 days or less and variable wn19_ac_000050_maximumpasswordage is set to {{ wn19_ac_000050_maximumpasswordage }}" + ignore_errors: yes + tags: audit + + - name: "MEDIUM | WN19-AC-000050 | PATCH | Maximum password age must be configured to 60 days or less." + win_security_policy: + section: System Access + key: MaximumPasswordAge + value: "{{ wn19_ac_000050_maximumpasswordage }}" + tags: patch + when: wn19_ac_000050 + tags: + - WN19-AC-000050 + - V-93477 + - SRG-OS-000076-GPOS-00044 + - SV-103563r1 + - CCI-000199 + - medium + +- name: "MEDIUM | WN19-AC-000060 | Minimum password age must be configured to at least one day." + block: + - name: "MEDIUM | WN19-AC-000060 | AUDIT | Minimum password age must be configured to at least one day." + assert: + that: wn19_ac_000060_minimumpasswordage is version('1', '>=') + fail_msg: "Minimum password age must be configured to at least one day and variable wn19_ac_000060_minimumpasswordage is set to {{ wn19_ac_000060_minimumpasswordage }}" + ignore_errors: yes + tags: audit + + - name: "MEDIUM | WN19-AC-000060 | PATCH | Minimum password age must be configured to at least one day." + win_security_policy: + section: System Access + key: MinimumPasswordAge + value: "{{ wn19_ac_000060_minimumpasswordage }}" + tags: patch + when: wn19_ac_000060 + tags: + - WN19-AC-000060 + - V-93471 + - SRG-OS-000075-GPOS-00043 + - SV-103557r1 + - CCI-000198 + - medium + +- name: "MEDIUM | WN19-AC-000070 | Minimum password length must be configured to 14 characters." + block: + - name: "MEDIUM | WN19-AC-000070 | AUDIT | Minimum password length must be configured to 14 characters." + assert: + that: wn19_ac_000070_minimumpasswordlength is version('14', '>=') + fail_msg: "Minimum password length must be configured to 14 characters and variable wn19_ac_000070_minimumpasswordlength is set to {{ wn19_ac_000070_minimumpasswordlength }} characters" + ignore_errors: yes + tags: audit + + - name: "MEDIUM | WN19-AC-000070 | PATCH | Minimum password length must be configured to 14 characters." + win_security_policy: + section: System Access + key: MinimumPasswordLength + value: "{{ wn19_ac_000070_minimumpasswordlength }}" + tags: patch + when: wn19_ac_000070 + tags: + - WN19-AC-000070 + - V-93463 + - SRG-OS-000078-GPOS-00046 + - SV-103549r1 + - CCI-000205 + - medium + +- name: "MEDIUM | WN19-AC-000080 | Must have the built-in Windows password complexity policy enabled." + win_security_policy: + section: System Access + key: PasswordComplexity + value: 1 + when: wn19_ac_000080 + tags: + - WN19-AC-000080 + - V-93459 + - SRG-OS-000069-GPOS-00037 + - SV-103545r1 + - CCI-000192 + - CCI-000193 + - CCI-000194 + - CCI-001619 + - medium + - patch + +- name: "MEDIUM | WN19-AC-000090 | Reversible password encryption must be disabled." + win_security_policy: + section: System Access + key: ClearTextPassword + value: "0" + changed_when: no + when: wn19_ac_000090 + tags: + - WN19-AC-000090 + - V-93465 + - SRG-OS-000073-GPOS-00041 + - SV-103551r1 + - CCI-000196 + - patch + - medium + +- name: "MEDIUM | WN19-AU-000010 | Audit records must be backed up to a different system or media than the system being audited." + block: + - name: "MEDIUM | WN19-AU-000010 | AUDIT | Audit records must be backed up to a different system or media than the system being audited." + win_shell: echo true + register: wn19_au_000010_audit + check_mode: no + changed_when: no + tags: audit + + - name: "MEDIUM | WN19-AU-000010 | PATCH | Audit records must be backed up to a different system or media than the system being audited." + win_shell: echo true + changed_when: no + tags: patch + when: + - wn19_au_000010 + - is_implemented + tags: + - WN19-AU-000010 + - V-93183 + - SRG-OS-000342-GPOS-00133 + - SV-103271r1 + - CCI-001851 + - medium + +- name: "MEDIUM | WN19-AU-000020 | Must, at a minimum, off-load audit records of interconnected systems in real time and off-load standalone systems weekly." + block: + - name: "MEDIUM | WN19-AU-000020 | AUDIT | Must, at a minimum, off-load audit records of interconnected systems in real time and off-load standalone systems weekly." + win_shell: echo true + register: wn16_au_000020_audit + check_mode: no + changed_when: no + tags: audit + + - name: "MEDIUM | WN19-AU-000020 | PATCH | Must, at a minimum, off-load audit records of interconnected systems in real time and off-load standalone systems weekly." + win_shell: echo true + changed_when: no + tags: patch + when: + - wn19_au_000020 + - is_implemented + tags: + - WN19-AU-000020 + - V-93185 + - SRG-OS-000479-GPOS-00224 + - SV-103273r1 + - CCI-001851 + - medium + # hard one, either need to standardize on say log shipping like splunk or other is set? + +- name: "MEDIUM | WN19-AU-000030 | Permissions for the Application event log must prevent access by non-privileged accounts." + block: + - name: "MEDIUM | WN19-AU-000030 | AUDIT | Permissions for the Application event log must prevent access by non-privileged accounts." + win_shell: echo true + register: wn16_au_000030_audit + check_mode: no + changed_when: no + tags: audit + + - name: "MEDIUM | WN19-AU-000030 | PATCH | Permissions for the Application event log must prevent access by non-privileged accounts." + win_shell: echo true + changed_when: no + tags: patch + when: + - wn19_au_000030 + - is_implemented + tags: + - WN19-AU-000030 + - V-93189 + - SRG-OS-000057-GPOS-00027 + - SV-103277r1 + - CCI-000162 + - CCI-000163 + - CCI-000164 + - medium + +- name: "MEDIUM | WN19-AU-000040 | Permissions for the Security event log must prevent access by non-privileged accounts." + block: + - name: "MEDIUM | WN19-AU-000040 | AUDIT | Permissions for the Security event log must prevent access by non-privileged accounts." + win_shell: echo true + register: wn16_au_000040_audit + check_mode: no + changed_when: no + tags: audit + + - name: "MEDIUM | WN19-AU-000040 | PATCH | Permissions for the Security event log must prevent access by non-privileged accounts." + win_shell: echo true + changed_when: no + tags: patch + when: + - wn16_au_000040 + - is_implemented + tags: + - WN19-AU-000040 + - V-93191 + - SRG-OS-000057-GPOS-00027 + - SV-103279r1 + - CCI-000162 + - CCI-000163 + - CCI-000164 + - medium + +- name: "MEDIUM | WN19-AU-000050 | Permissions for the System event log must prevent access by non-privileged accounts." + block: + - name: "MEDIUM | WN19-AU-000050 | AUDIT | Permissions for the System event log must prevent access by non-privileged accounts." + win_shell: echo true + register: wn16_au_000050_audit + check_mode: no + changed_when: no + tags: audit + + - name: "MEDIUM | WN19-AU-000050 | PATCH | Permissions for the System event log must prevent access by non-privileged accounts." + win_shell: echo true + changed_when: no + tags: patch + when: + - wn19_au_000050 + - is_implemented + tags: + - WN19-AU-000050 + - V-93193 + - SRG-OS-000057-GPOS-00027 + - SV-103281r1 + - CCI-000162 + - CCI-000163 + - CCI-000164 + - medium + +- name: "MEDIUM | WN19-AU-000060 | Event Viewer must be protected from unauthorized modification and deletion." + block: + - name: "MEDIUM | WN19-AU-000060 | AUDIT | Event Viewer must be protected from unauthorized modification and deletion." + win_shell: echo true + register: wn19_au_000060_audit + check_mode: no + changed_when: no + tags: audit + + - name: "MEDIUM | WN19-AU-000060 | PATCH | Event Viewer must be protected from unauthorized modification and deletion." + win_shell: echo true + changed_when: no + tags: patch + when: + - wn19_au_000060 + - is_implemented + tags: + - WN19-AU-000060 + - V-93195 + - SRG-OS-000257-GPOS-00098 + - SV-103283r1 + - CCI-001494 + - CCI-001495 + - medium + +- name: "MEDIUM | WN19-AU-000070 | Must be configured to audit Account Logon - Credential Validation successes." + block: + - name: "MEDIUM | WN19-AU-000070 | AUDIT | Must be configured to audit Account Logon - Credential Validation successes." + win_shell: AuditPol /get /subcategory:"Credential Validation" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: wn19_au_000070_audit + check_mode: no + changed_when: "'Success' not in wn19_au_000070_audit.stdout" + tags: audit + + - name: "MEDIUM | WN19-AU-000070 | PATCH | Must be configured to audit Account Logon - Credential Validation successes." + win_shell: AuditPol /set /subcategory:"Credential Validation" /success:enable + when: wn19_au_000070_audit is defined + changed_when: "'Success' not in wn19_au_000070_audit.stdout" + tags: patch + when: wn19_au_000070 + tags: + - WN19-AU-000070 + - V-93153 + - SRG-OS-000470-GPOS-00214 + - SV-103241r1 + - CCI-000172 + - medium + +- name: "MEDIUM | WN19-AU-000080 | Must be configured to audit Account Logon - Credential Validation failures." + block: + - name: "MEDIUM | WN19-AU-000080 | AUDIT | Must be configured to audit Account Logon - Credential Validation failures." + win_shell: AuditPol /get /subcategory:"Credential Validation" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: wn19_au_000080_audit + check_mode: no + changed_when: "'Success' not in wn19_au_000080_audit.stdout" + ignore_errors: yes + tags: audit + + - name: "MEDIUM | WN19-AU-000080 | PATCH | Must be configured to audit Account Logon - Credential Validation failures." + win_shell: AuditPol /set /subcategory:"Credential Validation" /failure:enable + when: wn19_au_000080_audit is defined + changed_when: "'Failure' not in wn19_au_000080_audit.stdout" + tags: patch + when: wn19_au_000080 + tags: + - WN19-AU-000080 + - V-93155 + - SRG-OS-000470-GPOS-00214 + - SV-103243r1 + - CCI-000172 + - medium + +- name: "MEDIUM | WN19-AU-000090 | Must be configured to audit Account Management - Other Account Management Events successes." + block: + - name: "MEDIUM | WN19-AU-000090 | AUDIT | Must be configured to audit Account Management - Other Account Management Events successes." + win_shell: AuditPol /get /subcategory:"Other Account Management Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: wn19_au_000090_audit + check_mode: no + changed_when: "'Success' not in wn19_au_000090_audit.stdout" + tags: audit + + - name: "MEDIUM | WN19-AU-000090 | PATCH | Must be configured to audit Account Management - Other Account Management Events successes." + win_shell: AuditPol /set /subcategory:"Other Account Management Events" /success:enable + when: wn19_au_000090_audit is defined + changed_when: "'Success' not in wn19_au_000090_audit.stdout" + tags: patch + when: wn19_au_000090 + tags: + - WN19-AU-000090 + - V-93089 + - SRG-OS-000327-GPOS-00127 + - SV-103177r1 + - CCI-000172 + - CCI-002234 + - medium + +- name: "MEDIUM | WN19-AU-000100 | Must be configured to audit Account Management - Security Group Management successes." + block: + - name: "MEDIUM | WN19-AU-000100 | AUDIT | Must be configured to audit Account Management - Security Group Management successes." + win_shell: AuditPol /get /subcategory:"Security Group Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: wn19_au_000100_audit + check_mode: no + changed_when: "'Success' not in wn19_au_000100_audit.stdout" + tags: audit + + - name: "MEDIUM | WN19-AU-000100 | PATCH | Must be configured to audit Account Management - Security Group Management successes." + win_shell: AuditPol /set /subcategory:"Security Group Management" /success:enable + when: wn19_au_000100_audit is defined + changed_when: "'Success' not in wn19_au_000100_audit.stdout" + tags: patch + when: wn19_au_000100 + tags: + - WN19-AU-000100 + - V-92979 + - SRG-OS-000004-GPOS-00004 + - SV-103067r1 + - CCI-000018 + - CCI-000172 + - CCI-001403 + - CCI-001404 + - CCI-001405 + - CCI-002130 + - medium + +- name: "MEDIUM | WN19-AU-000110 | Must be configured to audit Account Management - User Account Management successes." + block: + - name: "MEDIUM | WN19-AU-000110 | AUDIT | Must be configured to audit Account Management - User Account Management successes." + win_shell: AuditPol /get /subcategory:"User Account Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: wn19_au_000110_audit + check_mode: no + changed_when: "'Success' not in wn19_au_000110_audit.stdout" + tags: audit + + - name: "MEDIUM | WN19-AU-000110 | PATCH | Must be configured to audit Account Management - User Account Management successes." + win_shell: AuditPol /set /subcategory:"User Account Management" /success:enable + when: wn19_au_000110_audit is defined + changed_when: "'Success' not in wn19_au_000110_audit.stdout" + tags: patch + when: wn19_au_000110 + tags: + - WN19-AU-000110 + - V-92981 + - SRG-OS-000004-GPOS-00004 + - SV-103069r1 + - CCI-000018 + - CCI-000172 + - CCI-001403 + - CCI-001404 + - CCI-001405 + - CCI-002130 + - medium + +- name: "MEDIUM | WN19-AU-000120 | Must be configured to audit Account Management - User Account Management failures." + block: + - name: "MEDIUM | WN19-AU-000120 | AUDIT | Must be configured to audit Account Management - User Account Management failures." + win_shell: AuditPol /get /subcategory:"User Account Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: wn19_au_000120_audit + check_mode: no + changed_when: "'Failure' not in wn19_au_000120_audit.stdout" + tags: audit + + - name: "MEDIUM | WN19-AU-000120 | PATCH | Must be configured to audit Account Management - User Account Management failures." + win_shell: AuditPol /set /subcategory:"User Account Management" /failure:enable + when: wn19_au_000120_audit is defined + changed_when: "'Failure' not in wn19_au_000120_audit.stdout" + tags: patch + when: wn19_au_000120 + tags: + - WN19-AU-000120 + - V-92983 + - SRG-OS-000004 + - SV-103071r1 + - CCI-000018 + - CCI-000172 + - CCI-001403 + - CCI-001404 + - CCI-001405 + - CCI-002130 + - medium + +- name: "MEDIUM | WN19-AU-000130 | Must be configured to audit Detailed Tracking - Plug and Play Events successes." + block: + - name: "MEDIUM | WN19-AU-000130 | AUDIT | Must be configured to audit Detailed Tracking - Plug and Play Events successes." + win_shell: AuditPol /get /subcategory:"Plug and Play Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: wn19_au_000130_audit + check_mode: no + changed_when: "'Success' not in wn19_au_000130_audit.stdout" + tags: audit + + - name: "MEDIUM | WN19-AU-000130 | PATCH | Must be configured to audit Detailed Tracking - Plug and Play Events successes." + win_shell: AuditPol /set /subcategory:"Plug and Play Events" /success:enable + when: wn19_au_000130_audit is defined + changed_when: "'Success' not in wn19_au_000130_audit.stdout" + tags: patch + when: wn19_au_000130 + tags: + - WN19-AU-000130 + - V-93157 + - SRG-OS-000474-GPOS-00219 + - SV-103245r1 + - CCI-000172 + - patch + +- name: "MEDIUM | WN19-AU-000140 | Must be configured to audit Detailed Tracking - Process Creation successes." + block: + - name: "MEDIUM | WN19-AU-000140 | AUDIT | Must be configured to audit Detailed Tracking - Process Creation successes." + win_shell: AuditPol /get /subcategory:"Process Creation" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: wn19_au_000140_audit + check_mode: no + changed_when: "'Success' not in wn19_au_000140_audit.stdout" + tags: audit + + - name: "MEDIUM | WN19-AU-000140 | PATCH | Must be configured to audit Detailed Tracking - Process Creation successes." + win_shell: AuditPol /set /subcategory:"Process Creation" /success:enable + when: wn19_au_000140_audit is defined + changed_when: "'Success' not in wn19_au_000140_audit.stdout" + tags: patch + when: wn19_au_000140 + tags: + - WN19-AU-000140 + - V-93091 + - SRG-OS-000327-GPOS-00127 + - SV-103179r1 + - CCI-000172 + - CCI-002234 + - medium + +- name: "MEDIUM | WN19-AU-000150 | Must be configured to audit Logon/Logoff - Account Lockout successes." + block: + - name: "MEDIUM | WN19-AU-000150 | AUDIT | Must be configured to audit Logon/Logoff - Account Lockout successes." + win_shell: AuditPol /get /subcategory:"Account Lockout" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: wn19_au_000150_audit + check_mode: no + changed_when: "'Success' not in wn19_au_000150_audit.stdout" + tags: audit + + - name: "MEDIUM | WN19-AU-000150 | PATCH | Must be configured to audit Logon/Logoff - Account Lockout successes." + win_shell: AuditPol /set /subcategory:"Account Lockout" /success:enable + when: wn19_au_000150_audit is defined + changed_when: "'Success' not in wn19_au_000150_audit.stdout" + tags: patch + when: wn19_au_000150 + tags: + - WN19-AU-000150 + - V-92987 + - SRG-OS-000240-GPOS-00090 + - SV-103075r1 + - CCI-000172 + - CCI-001404 + - medium + +- name: "MEDIUM | WN19-AU-000160 | Must be configured to audit Logon/Logoff - Account Lockout failures." + block: + - name: "MEDIUM | WN19-AU-000160 | AUDIT | Must be configured to audit Logon/Logoff - Account Lockout failures." + win_shell: AuditPol /get /subcategory:"Account Lockout" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: wn19_au_000160_audit + check_mode: no + changed_when: "'Failure' not in wn19_au_000160_audit.stdout" + tags: audit + + - name: "MEDIUM | WN19-AU-000160 | PATCH | Must be configured to audit Logon/Logoff - Account Lockout failures." + win_shell: AuditPol /set /subcategory:"Account Lockout" /failure:enable + changed_when: "'Failure' not in wn19_au_000160_audit.stdout" + when: wn19_au_000160_audit is defined + tags: patch + when: wn19_au_000160 + tags: + - WN19-AU-000160 + - V-92989 + - SRG-OS-000240-GPOS-00090 + - SV-103077r1 + - CCI-000172 + - CCI-001404 + - medium + +- name: "MEDIUM | WN19-AU-000170 | Must be configured to audit Logon/Logoff - Group Membership successes." + block: + - name: "MEDIUM | WN19-AU-000170 | AUDIT | Must be configured to audit Logon/Logoff - Group Membership successes." + win_shell: AuditPol /get /subcategory:"Group Membership" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: wn19_au_000170_audit + check_mode: no + changed_when: "'Success' not in wn19_au_000170_audit.stdout" + tags: audit + + - name: "MEDIUM | WN19-AU-000170 | PATCH | Must be configured to audit Logon/Logoff - Group Membership successes." + win_shell: AuditPol /set /subcategory:"Group Membership" /success:enable + changed_when: "'Success' not in wn19_au_000170_audit.stdout" + when: wn19_au_000170_audit is defined + tags: patch + when: wn19_au_000170 + tags: + - WN19-AU-000170 + - V-93159 + - SRG-OS-000470-GPOS-00214 + - SV-103247r1 + - CCI-000172 + - medium + +- name: "MEDIUM | WN19-AU-000180 | Must be configured to audit logoff successes." + block: + - name: "MEDIUM | WN19-AU-000180 | AUDIT | Must be configured to audit logoff successes." + win_shell: AuditPol /get /subcategory:"Logoff" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: wn19_au_000180_audit + check_mode: no + changed_when: "'Success' not in wn19_au_000180_audit.stdout" + tags: audit + + - name: "MEDIUM | WN19-AU-000180 | PATCH | Must be configured to audit logoff successes." + win_shell: AuditPol /set /subcategory:"Logoff" /success:enable + changed_when: "'Success' not in wn19_au_000180_audit.stdout" + when: wn19_au_000180_audit is defined + tags: patch + when: wn19_au_000180 + tags: + - WN19-AU-000180 + - V-93171 + - SRG-OS-000472-GPOS-00217 + - SV-103259r1 + - CCI-000172 + - CCI-000366 + - medium + +- name: "MEDIUM | WN19-AU-000190 | Must be configured to audit logon successes." + block: + - name: "MEDIUM | WN19-AU-000190 | AUDIT | Must be configured to audit logon successes." + win_shell: AuditPol /get /subcategory:"Logon" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: wn19_au_000190_audit + check_mode: no + changed_when: "'Success' not in wn19_au_000190_audit.stdout" + tags: audit + + - name: "MEDIUM | WN19-AU-000190 | PATCH | Must be configured to audit logon successes." + win_shell: AuditPol /set /subcategory:"Logon" /success:enable + changed_when: "'Success' not in wn19_au_000190_audit.stdout" + when: wn19_au_000190_audit is defined + tags: patch + when: wn19_au_000190 + tags: + - WN19-AU-000190 + - V-92967 + - SRG-OS-000032-GPOS-00013 + - SV-103055r1 + - CCI-000067 + - CCI-000172 + - medium + +- name: "MEDIUM | WN19-AU-000200 | Must be configured to audit logon failures" + block: + - name: "MEDIUM | WN19-AU-000200 | AUDIT | Must be configured to audit logon failures" + win_shell: AuditPol /get /subcategory:"Logon" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: wn19_au_000200_audit + check_mode: no + changed_when: "'Failure' not in wn19_au_000200_audit.stdout" + tags: audit + + - name: "MEDIUM | WN19-AU-000200 | PATCH | Must be configured to audit logon failures" + win_shell: AuditPol /set /subcategory:"Logon" /failure:enable + changed_when: "'Failure' not in wn19_au_000200_audit.stdout" + when: wn19_au_000200_audit is defined + tags: patch + when: wn19_au_000200 + tags: + - WN19-AU-000200 + - V-92969 + - SRG-OS-000032-GPOS-00013 + - SV-103057r1 + - CCI-000067 + - CCI-000172 + - medium + +- name: "MEDIUM | WN19-AU-000210 | Must be configured to audit Logon/Logoff - Special Logon successes." + block: + - name: "MEDIUM | WN19-AU-000210 | AUDIT | Must be configured to audit Logon/Logoff - Special Logon successes." + win_shell: AuditPol /get /subcategory:"Special Logon" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: wn19_au_000210_audit + check_mode: no + changed_when: "'Success' not in wn19_au_000210_audit.stdout" + tags: audit + + - name: "MEDIUM | WN19-AU-000210 | PATCH | Must be configured to audit Logon/Logoff - Special Logon successes." + win_shell: AuditPol /set /subcategory:"Special Logon" /success:enable + changed_when: "'Success' not in wn19_au_000210_audit.stdout" + when: wn19_au_000210_audit is defined + tags: patch + when: wn19_au_000210 + tags: + - WN19-AU-000210 + - V-93161 + - SRG-OS-000470-GPOS-00214 + - SV-103249r1 + - CCI-000172 + - medium + +- name: "MEDIUM | WN19-AU-000220 | Must be configured to audit Object Access - Other Object Access Events successes." + win_audit_policy_system: + subcategory: Other Object Access Events + audit_type: success, failure + when: wn19_au_000220 + tags: + - WN19-AU-000220 + - V-93163 + - SRG-OS-000470-GPOS-00214 + - SV-103251r1 + - CCI-000172 + - patch + - medium + +- name: "MEDIUM | WN19-AU-000230 | Must be configured to audit Object Access - Other Object Access Events failures." + win_audit_policy_system: + subcategory: Other Object Access Events + audit_type: success, failure + when: wn19_au_000230 + tags: + - WN19-AU-000230 + - V-93165 + - SRG-OS-000470-GPOS-00214 + - SV-103253r1 + - CCI-000172 + - patch + - medium + +- name: "MEDIUM | WN19-AU-000240 | Must be configured to audit Object Access - Removable Storage successes." + block: + - name: "MEDIUM | WN19-AU-000240 | AUDIT | Must be configured to audit Object Access - Removable Storage successes." + win_shell: AuditPol /get /subcategory:"Removable Storage" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: wn19_au_000240_audit + check_mode: no + changed_when: "'Success' not in wn19_au_000240_audit.stdout" + tags: audit + + - name: "MEDIUM | WN19-AU-000240 | PATCH | Must be configured to audit Object Access - Removable Storage successes." + win_shell: AuditPol /set /subcategory:"Removable Storage" /success:enable + changed_when: "'Success' not in wn19_au_000240_audit.stdout" + when: wn19_au_000240_audit is defined + tags: patch + when: wn19_au_000240 + tags: + - WN19-AU-000240 + - V-93167 + - SRG-OS-000474-GPOS-00219 + - SV-103255r1 + - CCI-000172 + - medium + +- name: "MEDIUM | WN19-AU-000250 | Must be configured to audit Object Access - Removable Storage failures." + block: + - name: "MEDIUM | WN19-AU-000250 | AUDIT | Must be configured to audit Object Access - Removable Storage failures." + win_shell: AuditPol /get /subcategory:"Removable Storage" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: wn19_au_000250_audit + check_mode: no + changed_when: "'Failure' not in wn19_au_000250_audit.stdout" + tags: audit + + - name: "MEDIUM | WN19-AU-000250 | PATCH | Must be configured to audit Object Access - Removable Storage failures." + win_shell: AuditPol /set /subcategory:"Removable Storage" /failure:enable + changed_when: "'Failure' not in wn19_au_000250_audit.stdout" + when: wn19_au_000250_audit is defined + tags: patch + when: wn19_au_000250 + tags: + - WN19-AU-000250 + - V-93169 + - SRG-OS-000474-GPOS-00219 + - SV-103257r1 + - CCI-000172 + - patch + +- name: "MEDIUM | WN19-AU-000260 | Must be configured to audit Policy Change - Audit Policy Change successes." + block: + - name: "MEDIUM | WN19-AU-000260 | AUDIT | Must be configured to audit Policy Change - Audit Policy Change successes." + win_shell: AuditPol /get /subcategory:"Audit Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: wn19_au_000260_audit + check_mode: no + changed_when: "'Success' not in wn19_au_000260_audit.stdout" + tags: audit + + - name: "MEDIUM | WN19-AU-000260 | PATCH | Must be configured to audit Policy Change - Audit Policy Change successes." + win_shell: AuditPol /set /subcategory:"Audit Policy Change" /success:enable + changed_when: "'Success' not in wn19_au_000260_audit.stdout" + when: wn19_au_000260_audit is defined + tags: patch + when: wn19_au_000260 + tags: + - WN19-AU-000260 + - V-93093 + - SRG-OS-000327-GPOS-00127 + - SV-103181r1 + - CCI-000172 + - CCI-002234 + - medium + +- name: "MEDIUM | WN19-AU-000270 | Must be configured to audit Policy Change - Audit Policy Change failures." + block: + - name: "MEDIUM | WN19-AU-000270 | AUDIT | Must be configured to audit Policy Change - Audit Policy Change failures." + win_shell: AuditPol /get /subcategory:"Audit Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: wn19_au_000270_audit + check_mode: no + changed_when: "'Failure' not in wn19_au_000270_audit.stdout" + tags: audit + + - name: "MEDIUM | WN19-AU-000270 | PATCH | Must be configured to audit Policy Change - Audit Policy Change failures." + win_shell: AuditPol /set /subcategory:"Audit Policy Change" /failure:enable + changed_when: "'Failure' not in wn19_au_000270_audit.stdout" + when: wn19_au_000270_audit is defined + tags: patch + when: wn19_au_000270 + tags: + - WN19-AU-000270 + - V-93095 + - SRG-OS-000327-GPOS-00127 + - SV-103183r1 + - CCI-000172 + - CCI-002234 + - medium + +- name: "MEDIUM | WN19-AU-000280 | Must be configured to audit Policy Change - Authentication Policy Change successes." + block: + - name: "MEDIUM | WN19-AU-000280 | AUDIT | Must be configured to audit Policy Change - Authentication Policy Change successes." + win_shell: AuditPol /get /subcategory:"Authentication Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: wn19_au_000280_audit + check_mode: no + changed_when: "'Success' not in wn19_au_000280_audit.stdout" + tags: audit + + - name: "MEDIUM | WN19-AU-000280 | PATCH | Must be configured to audit Policy Change - Authentication Policy Change successes." + win_shell: AuditPol /set /subcategory:"Authentication Policy Change" /success:enable + changed_when: "'Success' not in wn19_au_000280_audit.stdout" + when: wn19_au_000280_audit is defined + tags: patch + when: wn19_au_000280 + tags: + - WN19-AU-000280 + - V-93097 + - SRG-OS-000327-GPOS-00127 + - SV-103185r1 + - CCI-000172 + - CCI-002234 + - medium + +- name: "MEDIUM | WN19-AU-000290 | Must be configured to audit Policy Change - Authorization Policy Change successes." + block: + - name: "MEDIUM | WN19-AU-000290 | AUDIT | Must be configured to audit Policy Change - Authorization Policy Change successes." + win_shell: AuditPol /get /subcategory:"Authorization Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: wn19_au_000290_audit + check_mode: no + changed_when: "'Success' not in wn19_au_000290_audit.stdout" + tags: audit + + - name: "MEDIUM | WN19-AU-000290 | PATCH | Must be configured to audit Policy Change - Authorization Policy Change successes." + win_shell: AuditPol /set /subcategory:"Authorization Policy Change" /success:enable + changed_when: "'Success' not in wn19_au_000290_audit.stdout" + when: wn19_au_000290_audit is defined + tags: patch + when: wn19_au_000290 + tags: + - WN19-AU-000290 + - V-93099 + - SRG-OS-000327-GPOS-00127 + - SV-103187r1 + - CCI-000172 + - CCI-002234 + - medium + +- name: "MEDIUM | WN19-AU-000300 | Must be configured to audit Privilege Use - Sensitive Privilege Use successes." + block: + - name: "MEDIUM | WN19-AU-000300 | AUDIT | Must be configured to audit Privilege Use - Sensitive Privilege Use successes." + win_shell: AuditPol /get /subcategory:"Sensitive Privilege Use" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: wn19_au_000300_audit + check_mode: no + changed_when: "'Success' not in wn19_au_000300_audit.stdout" + tags: audit + + - name: "MEDIUM | WN19-AU-000300 | PATCH | Must be configured to audit Privilege Use - Sensitive Privilege Use successes." + win_shell: AuditPol /set /subcategory:"Sensitive Privilege Use" /success:enable + changed_when: "'Success' not in wn19_au_000300_audit.stdout" + when: wn19_au_000300_audit is defined + tags: patch + when: wn19_au_000300 + tags: + - WN19-AU-000300 + - V-93101 + - SRG-OS-000327-GPOS-00127 + - SV-103189r1 + - CCI-000172 + - CCI-002234 + - medium + +- name: "MEDIUM | WN19-AU-000310 | Must be configured to audit Privilege Use - Sensitive Privilege Use failures." + block: + - name: "MEDIUM | WN19-AU-000310 | AUDIT | Must be configured to audit Privilege Use - Sensitive Privilege Use failures." + win_shell: AuditPol /get /subcategory:"Sensitive Privilege Use" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: wn19_au_000310_audit + check_mode: no + changed_when: "'Failure' not in wn19_au_000310_audit.stdout" + tags: audit + + - name: "MEDIUM | WN19-AU-000310 | PATCH | Must be configured to audit Privilege Use - Sensitive Privilege Use failures." + win_shell: AuditPol /set /subcategory:"Sensitive Privilege Use" /failure:enable + changed_when: "'Failure' not in wn19_au_000310_audit.stdout" + when: wn19_au_000310_audit is defined + tags: patch + when: wn19_au_000310 + tags: + - WN19-AU-000310 + - V-93103 + - SRG-OS-000327-GPOS-00127 + - SV-103191r1 + - CCI-000172 + - CCI-002234 + - medium + +- name: "MEDIUM | WN19-AU-000320 | Must be configured to audit System - IPsec Driver successes." + block: + - name: "MEDIUM | WN19-AU-000320 | AUDIT | Must be configured to audit System - IPsec Driver successes." + win_shell: AuditPol /get /subcategory:"IPsec Driver" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: wn19_au_000320_audit + check_mode: no + changed_when: "'Success' not in wn19_au_000320_audit.stdout" + tags: audit + + - name: "MEDIUM | WN19-AU-000320 | PATCH | Must be configured to audit System - IPsec Driver successes." + win_shell: AuditPol /set /subcategory:"IPsec Driver" /success:enable + changed_when: "'Success' not in wn19_au_000320_audit.stdout" + when: wn19_au_000320_audit is defined + tags: patch + when: wn19_au_000320 + tags: + - WN19-AU-000320 + - V-93105 + - SRG-OS-000327-GPOS-00127 + - SV-103193r1 + - CCI-000172 + - CCI-002234 + - medium + +- name: "MEDIUM | WN19-AU-000330 | Must be configured to audit System - IPsec Driver failures." + block: + - name: "MEDIUM | WN19-AU-000330 | AUDIT | Must be configured to audit System - IPsec Driver failures." + win_shell: AuditPol /get /subcategory:"IPsec Driver" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: wn19_au_000330_audit + check_mode: no + changed_when: "'Success' not in wn19_au_000330_audit.stdout" + tags: audit + + - name: "MEDIUM | WN19-AU-000330 | PATCH | Must be configured to audit System - IPsec Driver failures." + win_shell: AuditPol /set /subcategory:"IPsec Driver" /failure:enable + changed_when: "'Success' not in wn19_au_000330_audit.stdout" + when: wn19_au_000330_audit is defined + tags: patch + when: wn19_au_000330 + tags: + - WN19-AU-000330 + - V-93107 + - SRG-OS-000327-GPOS-00127 + - SV-103195r1 + - CCI-000172 + - CCI-002234 + - medium + +- name: "MEDIUM | WN19-AU-000340 | Must be configured to audit System - Other System Events successes." + block: + - name: "MEDIUM | WN19-AU-000340 | AUDIT | Must be configured to audit System - Other System Events successes." + win_shell: AuditPol /get /subcategory:"Other System Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: wn19_au_000340_audit + check_mode: no + changed_when: "'Success' not in wn19_au_000340_audit.stdout" + tags: audit + + - name: "MEDIUM | WN19-AU-000340 | PATCH | Must be configured to audit System - Other System Events successes." + win_shell: AuditPol /set /subcategory:"Other System Events" /success:enable + changed_when: "'Success' not in wn19_au_000340_audit.stdout" + when: wn19_au_000340_audit is defined + tags: patch + when: wn19_au_000340 + tags: + - WN19-AU-000340 + - V-93109 + - SRG-OS-000327-GPOS-00127 + - SV-103197r1 + - CCI-000172 + - CCI-002234 + - medium + +- name: "MEDIUM | WN19-AU-000350 | Must be configured to audit System - Other System Events failures." + block: + - name: "MEDIUM | WN19-AU-000350 | AUDIT | Must be configured to audit System - Other System Events failures." + win_shell: AuditPol /get /subcategory:"Other System Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: wn19_au_000350_audit + check_mode: no + changed_when: "'Failure' not in wn19_au_000350_audit.stdout" + tags: audit + + - name: "MEDIUM | WN19-AU-000350 | PATCH | Must be configured to audit System - Other System Events failures." + win_shell: AuditPol /set /subcategory:"Other System Events" /failure:enable + check_mode: no + changed_when: "'Failure' not in wn19_au_000350_audit.stdout" + when: wn19_au_000350_audit is defined + tags: patch + when: wn19_au_000350 + tags: + - WN19-AU-000350 + - V-93111 + - SRG-OS-000327-GPOS-00127 + - SV-103199r1 + - CCI-000172 + - CCI-002234 + - medium + +- name: "MEDIUM | WN19-AU-000360 | Must be configured to audit System - Security State Change successes." + block: + - name: "MEDIUM | WN19-AU-000360 | AUDIT | Must be configured to audit System - Security State Change successes." + win_shell: AuditPol /get /subcategory:"Security State Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: wn19_au_000360_audit + check_mode: no + changed_when: "'Success' not in wn19_au_000360_audit.stdout" + tags: audit + + - name: "MEDIUM | WN19-AU-000360 | PATCH | Must be configured to audit System - Security State Change successes." + win_shell: AuditPol /set /subcategory:"Security State Change" /success:enable + check_mode: no + changed_when: "'Success' not in wn19_au_000360_audit.stdout" + when: wn19_au_000360_audit is defined + tags: patch + when: wn19_au_000360 + tags: + - WN19-AU-000360 + - V-93113 + - SRG-OS-000327-GPOS-00127 + - SV-103201r1 + - CCI-000172 + - CCI-002234 + - medium + +- name: "MEDIUM | WN19-AU-000370 | Must be configured to audit System - Security System Extension successes." + block: + - name: "MEDIUM | WN19-AU-000370 | AUDIT | Must be configured to audit System - Security System Extension successes." + win_shell: AuditPol /get /subcategory:"Security System Extension" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: wn19_au_000370_audit + check_mode: no + changed_when: "'Success' not in wn19_au_000370_audit.stdout" + tags: audit + + - name: "MEDIUM | WN19-AU-000370 | PATCH | Must be configured to audit System - Security System Extension successes." + win_shell: AuditPol /set /subcategory:"Security System Extension" /success:enable + check_mode: no + changed_when: "'Success' not in wn19_au_000370_audit.stdout" + when: wn19_au_000370_audit is defined + tags: patch + when: wn19_au_000370 + tags: + - WN19-AU-000370 + - V-93115 + - SRG-OS-000327-GPOS-00127 + - SV-103203r1 + - CCI-000172 + - CCI-002234 + - medium + +- name: "MEDIUM | WN19-AU-000380 | Must be configured to audit System - System Integrity successes." + block: + - name: "MEDIUM | WN19-AU-000380 | AUDIT | Must be configured to audit System - System Integrity successes." + win_shell: AuditPol /get /subcategory:"System Integrity" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: wn19_au_000380_audit + check_mode: no + changed_when: "'Success' not in wn19_au_000380_audit.stdout" + tags: audit + + - name: "MEDIUM | WN19-AU-000380 | PATCH | Must be configured to audit System - System Integrity successes." + win_shell: AuditPol /set /subcategory:"System Integrity" /success:enable + check_mode: no + changed_when: "'Success' not in wn19_au_000380_audit.stdout" + when: wn19_au_000380_audit is defined + tags: patch + when: wn19_au_000380 + tags: + - WN19-AU-000380 + - V-93117 + - SRG-OS-000327-GPOS-00127 + - SV-103205r1 + - CCI-000172 + - CCI-002234 + - medium + +- name: "MEDIUM | WN19-AU-000390 | Must be configured to audit System - System Integrity failures." + block: + - name: "MEDIUM | WN19-AU-000390 | AUDIT | Must be configured to audit System - System Integrity failures." + win_shell: AuditPol /get /subcategory:"System Integrity" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: wn19_au_000390_audit + check_mode: no + changed_when: "'Failure' not in wn19_au_000390_audit.stdout" + tags: audit + + - name: "MEDIUM | WN19-AU-000390 | PATCH | Must be configured to audit System - System Integrity failures." + win_shell: AuditPol /set /subcategory:"System Integrity" /failure:enable + check_mode: no + changed_when: "'Failure' not in wn19_au_000390_audit.stdout" + when: wn19_au_000390_audit is defined + tags: patch + when: wn19_au_000390 + tags: + - WN19-AU-000390 + - V-93119 + - SRG-OS-000327-GPOS-00127 + - SV-103207r1 + - CCI-000172 + - CCI-002234 + - medium + +# some versions may be core/no gui, may need a prelim to detect? +- name: "MEDIUM | WN19-CC-000010 | Must prevent the display of slide shows on the lock screen." + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Personalization + state: present + value: NoLockScreenSlideshow + data: 1 + datatype: dword + when: wn19_cc_000010 + tags: + - WN19-CC-000010 + - V-93399 + - SRG-OS-000095-GPOS + - SV-103485r1 + - CCI-000381 + - medium + - patch + +- name: "MEDIUM | WN19-CC-000020 | Must have WDigest Authentication disabled." + win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest + state: present + value: UseLogonCredential + data: 0 + datatype: dword + when: wn19_cc_000020 + tags: + - WN19-CC-000020 + - V-93401 + - SRG-OS-000095-GPOS-00049 + - SV-103487r1 + - CCI-000381 + - medium + - patch + +- name: "MEDIUM | WN19-CC-000070 | Insecure logons to an SMB server must be disabled." + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation + state: present + value: AllowInsecureGuestAuth + data: 0 + datatype: dword + when: wn19_cc_000070 + tags: + - WN19-CC-000070 + - V-93239 + - SRG-OS-000480-GPOS-00227 + - SV-103327r1 + - CCI-000366 + - medium + - patch + +# verify if this applies to DC or only MS? +- name: "MEDIUM | WN19-CC-000080 | Hardened Universal Naming Convention (UNC) paths must be defined to require mutual authentication and integrity for at least the SYSVOL and NETLOGON shares." + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths + state: present + value: "{{ item }}" + data: RequireMutualAuthentication=1, RequireIntegrity=1 + datatype: string + loop: + - \\*\SYSVOL + - \\*\NETLOGON + when: + - wn19_cc_000080 + - ansible_windows_domain_member + tags: + - WN19-CC-000080 + - V-93241 + - SRG-OS-000480-GPOS-00227 + - SV-103329r1 + - CCI-000366 + - patch + - medium + - NotTested + +- name: "MEDIUM | WN19-CC-000090 | Command line data must be included in process creation events." + win_regedit: + path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit + state: present + value: ProcessCreationIncludeCmdLine_Enabled + data: 1 + datatype: dword + when: wn19_cc_000090 + tags: + - WN19-CC-000090 + - V-93173 + - SRG-OS-000042-GPOS-00020 + - SV-103261r1 + - CCI-000135 + - medium + - patch + +- name: "MEDIUM | WN19-CC-000100 | Command line data must be included in process creation events." + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation + state: present + value: AllowProtectedCreds + data: 1 + datatype: dword + when: wn19_cc_000100 + tags: + - WN19-CC-000100 + - V-93243 + - SRG-OS-000480-GPOS-00227 + - SV-103331r1 + - CCI-000366 + - medium + - patch + +- name: "MEDIUM | WN19-CC-000110 | Virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection." + block: + - name: "MEDIUM | WN19-CC-000110 | AUDIT | Virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection." + win_shell: echo true + register: wn19_cc_000110_audit + check_mode: no + changed_when: no + tags: audit + + - name: "MEDIUM | WN19-CC-000110 | PATCH | Virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection." + win_shell: echo true + changed_when: no + tags: patch + when: + - wn19_cc_000110 + - ansible_windows_domain_member + - is_implemented + tags: + - WN19-CC-000110 + - V-93245 + - SRG-OS-000480-GPOS-00227 + - SV-103333r1 + - CCI-000366 + - medium + +- name: "MEDIUM | WN19-CC-000130 | Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad." + win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Policies\EarlyLaunch + state: present + value: DriverLoadPolicy + data: 1 + datatype: dword + when: wn19_cc_000130 + tags: + - WN19-CC-000130 + - V-93249 + - SRG-OS-000480-GPOS-00227 + - SV-103337r1 + - CCI-000366 + - medium + - patch + +- name: "MEDIUM | WN19-CC-000140 | Group Policy objects must be reprocessed even if they have not changed." + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} + state: present + value: NoGPOListChanges + data: 0 + datatype: dword + when: wn19_cc_000140 + tags: + - WN19-CC-000140 + - V-93251 + - SRG-OS-000480-GPOS-00227 + - SV-103339r1 + - CCI-000366 + - medium + - patch + +- name: "MEDIUM | WN19-CC-000150 | Downloading print driver packages over HTTP must be turned off." + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers + state: present + value: DisableWebPnPDownload + data: 1 + datatype: dword + when: wn19_cc_000150 + tags: + - WN19-CC-000150 + - V-93403 + - SRG-OS-000095-GPOS-00049 + - SV-103489r1 + - CCI-000381 + - medium + - patch + +- name: "MEDIUM | WN19-CC-000160 | Printing over HTTP must be turned off." + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers + state: present + value: DisableHTTPPrinting + data: 1 + datatype: dword + when: wn19_cc_000160 + tags: + - WN19-CC-000160 + - V-93405 + - SRG-OS-000095-GPOS-00049 + - SV-103491r1 + - CCI-000381 + - medium + - patch + +- name: "MEDIUM | WN19-CC-000170 | Network selection user interface (UI) must not be displayed on the logon screen." + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System + state: present + value: DontDisplayNetworkSelectionUI + data: 1 + datatype: dword + when: wn19_cc_000170 + tags: + - WN19-CC-000170 + - V-93407 + - SRG-OS-000095-GPOS-00049 + - SV-103493r1 + - CCI-000381 + - medium + - patch + +- name: "MEDIUM | WN19-CC-000180 | Users must be prompted to authenticate when the system wakes from sleep (on battery)." + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 + state: present + value: DCSettingIndex + data: 1 + datatype: dword + when: wn19_cc_000180 + tags: + - WN19-CC-000180 + - V-93253 + - SRG-OS-000480-GPOS-00227 + - SV-103341r1 + - CCI-000366 + - medium + - patch + +- name: "MEDIUM | WN19-CC-000190 | Users must be prompted to authenticate when the system wakes from sleep (plugged in)." + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 + state: present + value: ACSettingIndex + data: 1 + datatype: dword + when: wn19_cc_000190 + tags: + - WN19-CC-000190 + - V-93255 + - SRG-OS-000480-GPOS-00227 + - SV-103343r1 + - CCI-000366 + - medium + - patch + +- name: "MEDIUM | WN19-CC-000240 | Administrator accounts must not be enumerated during elevation." + win_regedit: + path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI + state: present + value: EnumerateAdministrators + data: 0 + datatype: dword + when: wn19_cc_000240 + tags: + - WN19-CC-000240 + - V-93517 + - SRG-OS-000134-GPOS-00068 + - SV-103603r1 + - CCI-001084 + - medium + - patch + +- name: "MEDIUM | WN19-CC-000250 | Windows Telemetry must be configured to Security or Basic." + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection + state: present + value: AllowTelemetry + data: 0 + datatype: dword + when: wn19_cc_000250 + tags: + - WN19-CC-000250 + - V-93257 + - SRG-OS-000480-GPOS-00227 + - SV-103345r1 + - CCI-000366 + - medium + - patch + +- name: "MEDIUM | WN19-CC-000260 | Must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF)-generated routes." + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization + state: present + value: DODownloadMode + data: 1 + datatype: dword + when: wn19_cc_000260 + tags: + - WN19-CC-000260 + - V-93259 + - SRG-OS-000480-GPOS-00227 + - SV-103347r1 + - CCI-000366 + - medium + - patch + +- name: "MEDIUM | WN19-CC-000270 | The Application event log size must be configured to 32768 KB or greater." + block: + - name: "MEDIUM | WN19-CC-000270 | AUDIT | The Application event log size must be configured to 32768 KB or greater." + win_reg_stat: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application + name: MaxSize + register: wn19_cc_000270_audit + changed_when: no + tags: audit + + - name: "MEDIUM | WN19-CC-000270 | PATCH | The Application event log size must be configured to 32768 KB or greater." + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application + state: present + value: MaxSize + data: "{{ wn19_cc_000270_app_maxsize }}" + datatype: dword + when: + - wn19_cc_000270_audit is defined + - not wn19_cc_000270_audit.exists or wn19_cc_000270_audit.value < 32768 + tags: patch + when: wn19_cc_000270 + tags: + - WN19-CC-000270 + - V-93177 + - SRG-OS-000341-GPOS-00132 + - SV-103265r1 + - CCI-001849 + - medium + +- name: "MEDIUM | WN19-CC-000280 | The Security event log size must be configured to 196608 KB or greater." + block: + - name: "MEDIUM | WN19-CC-000280 | AUDIT | The Security event log size must be configured to 196608 KB or greater." + win_reg_stat: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security + name: MaxSize + register: wn19_cc_000280_audit + changed_when: no + tags: audit + + - name: "MEDIUM | WN19-CC-000280 | PATCH | The Security event log size must be configured to 196608 KB or greater." + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security + state: present + value: MaxSize + data: "{{ wn19_cc_000280_sec_maxsize }}" + datatype: dword + when: + - wn19_cc_000280_audit is defined + - not wn19_cc_000280_audit.exists or wn19_cc_000280_audit.value < 196608 + tags: patch + when: wn19_cc_000280 + tags: + - WN19-CC-000280 + - V-93179 + - SRG-OS-000341-GPOS-00132 + - SV-103267r1 + - CCI-001849 + - medium + +- name: "MEDIUM | WN19-CC-000290 | The System event log size must be configured to 32768 KB or greater." + block: + - name: "MEDIUM | WN19-CC-000290 | AUDIT | The System event log size must be configured to 32768 KB or greater." + win_reg_stat: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\System + name: MaxSize + register: wn19_cc_000290_audit + changed_when: no + tags: audit + + - name: "MEDIUM | WN19-CC-000290 | PATCH | The System event log size must be configured to 32768 KB or greater." + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\System + state: present + value: MaxSize + data: "{{ wn19_cc_000290_sys_maxsize }}" + datatype: dword + when: + - wn19_cc_000290_audit is defined + - not wn19_cc_000290_audit.exists or wn19_cc_000290_audit.value < 32768 + tags: patch + when: wn19_cc_000290 + tags: + - WN19-CC-000290 + - V-93181 + - SRG-OS-000341-GPOS-00132 + - SV-103269r1 + - CCI-001849 + - medium + +- name: "MEDIUM | WN19-CC-000300 | Windows Defender SmartScreen must be enabled." + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System + state: present + value: EnableSmartScreen + data: 1 + datatype: dword + when: wn19_cc_000300 + tags: + - WN19-CC-000300 + - V-93411 + - SRG-OS-000095-GPOS-00049 + - SV-103497r2 + - CCI-000381 + - medium + - patch + +- name: "MEDIUM | WN19-CC-000310 | Explorer Data Execution Prevention must be enabled." + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer + state: present + value: NoDataExecutionPrevention + data: 0 + datatype: dword + when: wn19_cc_000310 + tags: + - WN19-CC-000310 + - V-93563 + - SRG-OS-000433-GPOS-00192 + - SV-103649r1 + - CCI-002824 + - patch + - medium + +- name: "MEDIUM | WN19-CC-000330 | File Explorer shell protocol must run in protected mode." + win_regedit: + path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer + state: present + value: PreXPSP2ShellProtocolBehavior + data: 0 + datatype: dword + when: wn19_cc_000330 + tags: + - WN19-CC-000330 + - V-93263 + - SRG-OS-000480-GPOS-00227 + - SV-103351r1 + - CCI-000366 + - patch + - medium + +- name: "MEDIUM | WN19-CC-000340 | Passwords must not be saved in the Remote Desktop Client." + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services + state: present + value: DisablePasswordSaving + data: 1 + datatype: dword + when: wn19_cc_000340 + tags: + - WN19-CC-000340 + - V-93425 + - SRG-OS-000373-GPOS-00157 + - SV-103511r1 + - CCI-002038 + - medium + - patch + +- name: "MEDIUM | WN19-CC-000350 | Remote Desktop Services must prevent drive redirection." + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services + state: present + value: fDisableCdm + data: 1 + datatype: dword + when: wn19_cc_000350 + tags: + - WN19-CC-000350 + - V-93533 + - SRG-OS-000138-GPOS-00069 + - SV-103619r1 + - CCI-001090 + - patch + - medium + +- name: "MEDIUM | WN19-CC-000360 | Remote Desktop Services must always prompt a client for passwords upon connection." + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services + state: present + value: fPromptForPassword + data: 1 + datatype: dword + when: wn19_cc_000360 + tags: + - WN19-CC-000360 + - V-93427 + - SRG-OS-000373-GPOS-00157 + - SV-103513r1 + - CCI-002038 + - medium + - patch + +- name: "MEDIUM | WN19-CC-000370 | Remote Desktop Services must always prompt a client for passwords upon connection." + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services + state: present + value: fEncryptRPCTraffic + data: 1 + datatype: dword + when: wn19_cc_000370 + tags: + - WN19-CC-000370 + - V-92971 + - SRG-OS-000033-GPOS-00014 + - SV-103059r1 + - CCI-000068 + - CCI-001453 + - medium + - patch + +- name: "MEDIUM | WN19-CC-000380 | Remote Desktop Services must be configured with the client connection encryption set to High Level." + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services + state: present + value: MinEncryptionLevel + data: 3 + datatype: dword + when: wn19_cc_000380 + tags: + - WN19-CC-000380 + - V-92973 + - SRG-OS-000033-GPOS-00014 + - SV-103061r1 + - CCI-000068 + - CCI-001453 + - medium + - patch + +- name: "MEDIUM | WN19-CC-000390 | Must prevent attachments from being downloaded from RSS feeds." + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds + state: present + value: DisableEnclosureDownload + data: 1 + datatype: dword + when: wn19_cc_000390 + tags: + - WN19-CC-000390 + - V-93265 + - SRG-OS-000480-GPOS-00227 + - SV-103353r1 + - CCI-000366 + - medium + - patch + +- name: "MEDIUM | WN19-CC-000400 | Must disable Basic authentication for RSS feeds over HTTP." + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds + state: present + value: AllowBasicAuthInClear + data: 0 + datatype: dword + when: wn19_cc_000400 + tags: + - WN19-CC-000400 + - V-93413 + - SRG-OS-000095-GPOS-00049 + - SV-103499r1 + - CCI-000381 + - medium + - patch + +- name: "MEDIUM | WN19-CC-000410 | Must prevent Indexing of encrypted files." + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search + state: present + value: AllowIndexingEncryptedStoresOrItems + data: 0 + datatype: dword + when: wn19_cc_000410 + tags: + - WN19-CC-000410 + - V-93415 + - SRG-OS-000095-GPOS-00049 + - SV-103501r1 + - CCI-000381 + - medium + - patch + +- name: "MEDIUM | WN19-CC-000420 | Must prevent users from changing installation options." + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer + state: present + value: EnableUserControl + data: 0 + datatype: dword + when: wn19_cc_000420 + tags: + - WN19-CC-000420 + - V-93199 + - SRG-OS-000362-GPOS-00149 + - SV-103287r1 + - CCI-001812 + - patch + - medium + +- name: "MEDIUM | WN19-CC-000430 | Must disable the Windows Installer Always install with elevated privileges option." + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer + state: present + value: AlwaysInstallElevated + data: 0 + datatype: dword + when: wn19_cc_000430 + tags: + - WN19-CC-000430 + - V-93201 + - SRG-OS-000362-GPOS-00149 + - SV-103289r1 + - CCI-001812 + - medium + - patch + +- name: "MEDIUM | WN19-CC-000440 | Users must be notified if a web-based program attempts to install software." + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer + state: present + value: SafeForScripting + data: 0 + datatype: dword + when: wn19_cc_000440 + tags: + - WN19-CC-000440 + - V-93267 + - SRG-OS-000480-GPOS-00227 + - SV-103355r1 + - CCI-000366 + - patch + - medium + +- name: "MEDIUM | WN19-CC-000450 | Automatically signing in the last interactive user after a system-initiated restart must be disabled." + win_regedit: + path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System + state: present + value: DisableAutomaticRestartSignOn + data: 1 + datatype: dword + when: wn19_cc_000450 + tags: + - WN19-CC-000450 + - V-93269 + - SRG-OS-000480-GPOS-00229 + - SV-103357r1 + - CCI-000366 + - medium + - patch + +- name: "MEDIUM | WN19-CC-000460 | PowerShell script block logging must be enabled." + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging + state: present + value: EnableScriptBlockLogging + data: 1 + datatype: dword + when: wn19_cc_000460 + tags: + - WN19-CC-000460 + - V-93175 + - SRG-OS-000042-GPOS-00020 + - SV-103263r1 + - CCI-000135 + - patch + - medium + +- name: "MEDIUM | WN19-CC-000470 | Windows Remote Management (WinRM) client must not use Basic authentication." + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client + state: present + value: AllowBasic + data: 0 + datatype: dword + when: wn19_cc_000470 + tags: + - WN19-CC-000470 + - V-93503 + - SRG-OS-000125-GPOS-00065 + - SV-103589r1 + - CCI-000877 + - medium + - patch + +- name: "MEDIUM | WN19-CC-000480 | The Windows Remote Management (WinRM) client must not allow unencrypted traffic." + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client + state: present + value: AllowUnencryptedTraffic + data: 0 + datatype: dword + when: wn19_cc_000480 + tags: + - WN19-CC-000480 + - V-93499 + - SRG-OS-000393-GPOS-00173 + - SV-103585r1 + - CCI-002890 + - CCI-003123 + - medium + - patch + +- name: "MEDIUM | WN19-CC-000490 | Windows Remote Management (WinRM) client must not use Digest authentication." + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client + state: present + value: AllowDigest + data: 0 + datatype: dword + when: wn19_cc_000490 + tags: + - WN19-CC-000490 + - V-93505 + - SRG-OS-000125-GPOS-00065 + - SV-103591r1 + - CCI-000877 + - medium + - patch + +- name: "MEDIUM | WN19-CC-000500 | Windows Remote Management (WinRM) client must not use Digest authentication." + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client + state: present + value: AllowDigest + data: 0 + datatype: dword + when: wn19_cc_000500 + tags: + - WN19-CC-000500 + - V-93507 + - SRG-OS-000125-GPOS-00065 + - SV-103593r1 + - CCI-000877 + - medium + - patch + +- name: "MEDIUM | WN19-CC-000510 | The Windows Remote Management (WinRM) client must not allow unencrypted traffic." + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client + state: present + value: AllowUnencryptedTraffic + data: 0 + datatype: dword + when: wn19_cc_000510 + tags: + - WN19-CC-000510 + - V-93501 + - SRG-OS-000393-GPOS-00173 + - SV-103587r1 + - CCI-002890 + - CCI-003123 + - medium + - patch + +- name: "MEDIUM | WN19-CC-000520 | The Windows Remote Management (WinRM) service must not store RunAs credentials." + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service + state: present + value: DisableRunAs + data: 1 + datatype: dword + when: wn19_cc_000520 + tags: + - WN19-CC-000520 + - V-93429 + - SRG-OS-000373-GPOS-00157 + - SV-103515r1 + - CCI-002038 + - medium + - patch + +- name: "MEDIUM | WN19-DC-000020 | Kerberos user logon restrictions must be enforced." + block: + - name: "MEDIUM | WN19-DC-000020 | AUDIT | Kerberos user logon restrictions must be enforced." + win_shell: echo true + register: wn19_dc_000020_audit + check_mode: no + changed_when: no + tags: audit + + - name: "MEDIUM | WN19-DC-000020 | PATCH | Kerberos user logon restrictions must be enforced." + win_shell: echo true + changed_when: no + tags: patch + when: + - wn19_dc_000020 + - ansible_windows_domain_role == "Primary domain controller" + - is_implemented + tags: + - WN19-DC-000020 + - V-93443 + - SRG-OS-000112-GPOS-00057 + - SV-103529r1 + - CCI-001941 + - CCI-001942 + - medium + +- name: "MEDIUM | WN19-DC-000030 | The Kerberos service ticket maximum lifetime must be limited to 600 minutes or less." + block: + - name: "MEDIUM | WN19-DC-000030 | AUDIT | The Kerberos service ticket maximum lifetime must be limited to 600 minutes or less." + win_shell: echo true + register: wn19_dc_000030_audit + check_mode: no + changed_when: no + tags: audit + + - name: "MEDIUM | WN19-DC-000030 | PATCH | The Kerberos service ticket maximum lifetime must be limited to 600 minutes or less." + win_shell: echo true + changed_when: no + tags: patch + when: + - wn19_dc_000030 + - ansible_windows_domain_role == "Primary domain controller" + - is_implemented + tags: + - WN19-DC-000030 + - V-93445 + - SRG-OS-000112-GPOS-00057 + - SV-103531r1 + - CCI-001941 + - CCI-001942 + - medium + +- name: "MEDIUM | WN19-DC-000040 | The Kerberos user ticket lifetime must be limited to 10 hours or less." + block: + - name: "MEDIUM | WN19-DC-000040 | AUDIT | The Kerberos user ticket lifetime must be limited to 10 hours or less." + win_shell: echo true + register: wn19_dc_000040_audit + check_mode: no + changed_when: no + tags: audit + + - name: "MEDIUM | WN19-DC-000040 | PATCH | The Kerberos user ticket lifetime must be limited to 10 hours or less." + win_shell: echo true + changed_when: no + tags: patch + when: + - wn19_dc_000040 + - ansible_windows_domain_role == "Primary domain controller" + - is_implemented + tags: + - WN19-DC-000040 + - V-93447 + - SRG-OS-000112-GPOS-00057 + - SV-103533r1 + - CCI-001941 + - CCI-001942 + - medium + +- name: "MEDIUM | WN19-DC-000050 | The Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less." + block: + - name: "MEDIUM | WN19-DC-000050 | AUDIT | The Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less." + win_shell: echo true + register: wn19_dc_000050_audit + check_mode: no + changed_when: no + tags: audit + + - name: "MEDIUM | WN19-DC-000050 | PATCH | The Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less." + win_shell: echo true + changed_when: no + tags: patch + when: + - wn19_dc_000050 + - ansible_windows_domain_role == "Primary domain controller" + - is_implemented + tags: + - WN19-DC-000050 + - V-93449 + - SRG-OS-000112-GPOS-00057 + - SV-103535r1 + - CCI-001941 + - CCI-001942 + - medium + +- name: "MEDIUM | WN19-DC-000060 | The computer clock synchronization tolerance must be limited to 5 minutes or less." + block: + - name: "MEDIUM | WN19-DC-000060 | AUDIT | The computer clock synchronization tolerance must be limited to 5 minutes or less." + win_shell: echo true + register: wn19_dc_000060_audit + check_mode: no + changed_when: no + tags: audit + + - name: "MEDIUM | WN19-DC-000060 | PATCH | The computer clock synchronization tolerance must be limited to 5 minutes or less." + win_shell: echo true + changed_when: no + tags: patch + when: + - wn19_dc_000060 + - ansible_windows_domain_role == "Primary domain controller" + - is_implemented + tags: + - WN19-DC-000060 + - V-93451 + - SRG-OS-000112-GPOS-00057 + - SV-103537r1 + - CCI-001941 + - CCI-001942 + - medium + +- name: "MEDIUM | WN19-DC-000120 | Data files owned by users must be on a different logical partition from the directory server data files." + block: + - name: "MEDIUM | WN19-DC-000120 | AUDIT | Data files owned by users must be on a different logical partition from the directory server data files." + win_shell: echo true + register: wn19_dc_000120_audit + check_mode: no + changed_when: no + tags: audit + + - name: "MEDIUM | WN19-DC-000120 | PATCH | Data files owned by users must be on a different logical partition from the directory server data files." + win_shell: echo true + changed_when: no + tags: patch + when: + - wn19_dc_000120 + - ansible_windows_domain_role == "Primary domain controller" + - is_implemented + tags: + - WN19-DC-000120 + - V-93535 + - SRG-OS-000138-GPOS-00069 + - SV-103621r1 + - CCI-001090 + - medium + +- name: "MEDIUM | WN19-DC-000130 | Domain controllers must run on a machine dedicated to that function." + block: + - name: "MEDIUM | WN19-DC-000130 | AUDIT | Domain controllers must run on a machine dedicated to that function." + win_shell: echo true + register: wn16_dc_000130_audit + check_mode: no + changed_when: no + tags: audit + + - name: "MEDIUM | WN19-DC-000130 | PATCH | Domain controllers must run on a machine dedicated to that function." + win_shell: echo true + changed_when: no + tags: patch + when: + - wn16_dc_000130 + - ansible_windows_domain_role == "Primary domain controller" + - is_implemented + tags: + - WN19-DC-000130 + - V-93417 + - SRG-OS-000095-GPOS-00049 + - SV-103503r1 + - CCI-000381 + - medium + +- name: "MEDIUM | WN19-DC-000140 | Must use separate, NSA-approved (Type 1) cryptography to protect the directory data in transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data." + block: + - name: "MEDIUM | WN19-DC-000140 | AUDIT | Must use separate, NSA-approved (Type 1) cryptography to protect the directory data in transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data." + win_shell: echo true + register: wn19_dc_000140_audit + check_mode: no + changed_when: no + tags: audit + + - name: "MEDIUM | WN19-DC-000140 | PATCH | Must use separate, NSA-approved (Type 1) cryptography to protect the directory data in transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data." + win_shell: echo true + changed_when: no + tags: patch + when: + - wn19_dc_000140 + - ansible_windows_domain_role == "Primary domain controller" + - is_implemented + tags: + - WN19-DC-000140 + - V-93513 + - SRG-OS-000396-GPOS-00176 + - SV-103599r1 + - CCI-002450 + - medium + +- name: "MEDIUM | WN19-DC-000170 | Active Directory Group Policy objects must be configured with proper audit settings." + block: + - name: "MEDIUM | WN19-DC-000170 | AUDIT | Active Directory Group Policy objects must be configured with proper audit settings." + win_shell: echo true + register: wn19_dc_000170_audit + check_mode: no + changed_when: no + tags: audit + + - name: "MEDIUM | WN19-DC-000170 | PATCH | Active Directory Group Policy objects must be configured with proper audit settings." + win_shell: echo true + changed_when: no + tags: patch + when: + - wn19_dc_000170 + - ansible_windows_domain_role == "Primary domain controller" + - is_implemented + tags: + - WN19-DC-000170 + - V-93121 + - SRG-OS-000327-GPOS-00127 + - SV-103209r1 + - CCI-000172 + - CCI-002234 + - medium + +- name: "MEDIUM | WN19-DC-000180 | The Active Directory Domain object must be configured with proper audit settings." + block: + - name: "MEDIUM | WN19-DC-000180 | AUDIT | The Active Directory Domain object must be configured with proper audit settings." + win_shell: echo true + register: wn19_dc_000180_audit + check_mode: no + changed_when: no + tags: audit + + - name: "MEDIUM | WN19-DC-000180 | PATCH | The Active Directory Domain object must be configured with proper audit settings." + win_shell: echo true + changed_when: no + tags: patch + when: + - wn19_dc_000180 + - is_implemented + - ansible_windows_domain_role == "Primary domain controller" + tags: + - WN19-DC-000180 + - V-93123 + - SRG-OS-000327-GPOS-00127 + - SV-103211r1 + - CCI-000172 + - CCI-002234 + - medium + +- name: "MEDIUM | WN19-DC-000190 | The Active Directory Infrastructure object must be configured with proper audit settings." + block: + - name: "MEDIUM | WN19-DC-000190 | AUDIT | The Active Directory Infrastructure object must be configured with proper audit settings." + win_shell: echo true + register: wn19_dc_000190_audit + check_mode: no + changed_when: no + tags: audit + + - name: "MEDIUM | WN19-DC-000190 | PATCH | The Active Directory Infrastructure object must be configured with proper audit settings." + win_shell: echo true + changed_when: no + tags: patch + when: + - wn19_dc_000190 + - is_implemented + - ansible_windows_domain_role == "Primary domain controller" + tags: + - WN19-DC-000190 + - V-93125 + - SRG-OS-000327-GPOS-00127 + - SV-103213r1 + - CCI-000172 + - CCI-002234 + - medium + +- name: "MEDIUM | WN19-DC-000200 | The Active Directory Domain Controllers Organizational Unit (OU) object must be configured with proper audit settings." + block: + - name: "MEDIUM | WN19-DC-000200 | AUDIT | The Active Directory Domain Controllers Organizational Unit (OU) object must be configured with proper audit settings." + win_shell: echo true + register: wn19_dc_000200_audit + check_mode: no + changed_when: no + tags: audit + + - name: "MEDIUM | WN19-DC-000200 | PATCH | The Active Directory Domain Controllers Organizational Unit (OU) object must be configured with proper audit settings." + win_shell: echo true + changed_when: no + tags: patch + when: + - wn19_dc_000200 + - is_implemented + - ansible_windows_domain_role == "Primary domain controller" + tags: + - WN19-DC-000200 + - V-93127 + - SRG-OS-000327-GPOS-00127 + - SV-103215r1 + - CCI-000172 + - CCI-002234 + - medium + +- name: "MEDIUM | WN19-DC-000210 | The Active Directory AdminSDHolder object must be configured with proper audit settings." + block: + - name: "MEDIUM | WN19-DC-000210 | AUDIT | The Active Directory AdminSDHolder object must be configured with proper audit settings." + win_shell: echo true + register: wn19_dc_000210_audit + check_mode: no + changed_when: no + tags: audit + + - name: "MEDIUM | WN19-DC-000210 | PATCH | The Active Directory AdminSDHolder object must be configured with proper audit settings." + win_shell: echo true + changed_when: no + tags: patch + when: + - wn19_dc_000210 + - is_implemented + - ansible_windows_domain_role == "Primary domain controller" + tags: + - WN19-DC-000210 + - V-93129 + - SRG-OS-000327-GPOS-00127 + - SV-103217r1 + - CCI-000172 + - CCI-002234 + - medium + +- name: "MEDIUM | WN19-DC-000220 | The Active Directory RID Manager$ object must be configured with proper audit settings." + block: + - name: "MEDIUM | WN19-DC-000220 | AUDIT | The Active Directory RID Manager$ object must be configured with proper audit settings." + win_shell: echo true + register: wn19_dc_000220_audit + check_mode: no + changed_when: no + tags: audit + + - name: "MEDIUM | WN19-DC-000220 | PATCH | The Active Directory RID Manager$ object must be configured with proper audit settings." + win_shell: echo true + changed_when: no + tags: patch + when: + - wn19_dc_000220 + - is_implemented + - ansible_windows_domain_role == "Primary domain controller" + tags: + - WN19-DC-000220 + - V-93131 + - SRG-OS-000327-GPOS-00127 + - SV-103219r1 + - CCI-000172 + - CCI-002234 + - medium + +- name: "MEDIUM | WN19-DC-000230 | Must be configured to audit Account Management - Computer Account Management successes." + block: + - name: "MEDIUM | WN19-DC-000230 | AUDIT | Must be configured to audit Account Management - Computer Account Management successes." + win_shell: AuditPol /get /subcategory:"Computer Account Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: wn19_dc_000230_audit + check_mode: no + changed_when: "'Success' not in wn19_dc_000230_audit.stdout" + tags: audit + + - name: "MEDIUM | WN19-DC-000230 | PATCH | Must be configured to audit Account Management - Computer Account Management successes." + win_shell: AuditPol /set /subcategory:"Computer Account Management" /success:enable + when: "'Success' not in wn19_dc_000230_audit.stdout" + tags: patch + when: + - wn19_dc_000230 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - WN19-DC-000230 + - V-92985 + - SRG-OS-000004-GPOS-00004 + - SV-103073r1 + - CCI-000018 + - CCI-000172 + - CCI-001403 + - CCI-001404 + - CCI-001405 + - CCI-002130 + - medium + +- name: "MEDIUM | WN19-DC-000240 | Must be configured to audit DS Access - Directory Service Access successes." + block: + - name: "MEDIUM | WN19-DC-000240 | AUDIT | Must be configured to audit DS Access - Directory Service Access successes." + win_shell: AuditPol /get /subcategory:"Directory Service Access" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: wn19_dc_000240_audit + check_mode: no + changed_when: "'Success' not in wn19_dc_000240_audit.stdout" + tags: audit + + - name: "MEDIUM | WN19-DC-000240 | PATCH | Must be configured to audit DS Access - Directory Service Access successes." + win_shell: AuditPol /set /subcategory:"Directory Service Access" /success:enable + when: "'Success' not in wn19_dc_000240_audit.stdout" + tags: patch + when: + - wn19_dc_000240 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - WN19-DC-000240 + - V-93133 + - SRG-OS-000327-GPOS-00127 + - SV-103221r1 + - CCI-000172 + - CCI-002234 + - medium + - NeedToTestDomainController + +- name: "MEDIUM | WN19-DC-000250 | Must be configured to audit DS Access - Directory Service Access failures." + block: + - name: "MEDIUM | WN19-DC-000250 | AUDIT | Must be configured to audit DS Access - Directory Service Access failures." + win_shell: AuditPol /get /subcategory:"Directory Service Access" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: wn19_dc_000250_audit + check_mode: no + changed_when: "'Failure' not in wn19_dc_000250_audit.stdout" + tags: audit + + - name: "MEDIUM | WN19-DC-000250 | PATCH | Must be configured to audit DS Access - Directory Service Access failures." + win_shell: AuditPol /set /subcategory:"Directory Service Access" /failure:enable + when: "'Failure' not in wn19_dc_000250_audit.stdout" + tags: patch + when: + - wn19_dc_000250 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - WN19-DC-000250 + - V-93135 + - SRG-OS-000327-GPOS-00127 + - SV-103223r1 + - CCI-000172 + - CCI-002234 + - medium + - NeedToTestDomainController + +- name: "MEDIUM | WN19-DC-000260 | Must be configured to audit DS Access - Directory Service Changes successes." + block: + - name: "MEDIUM | WN19-DC-000260 | AUDIT | Must be configured to audit DS Access - Directory Service Changes successes." + win_shell: AuditPol /get /subcategory:"Directory Service Changes" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: wn19_dc_000260_audit + check_mode: no + changed_when: "'Success' not in wn19_dc_000260_audit.stdout" + tags: audit + + - name: "MEDIUM | WN19-DC-000260 | PATCH | Must be configured to audit DS Access - Directory Service Changes successes." + win_shell: AuditPol /set /subcategory:"Directory Service Changes" /success:enable + when: "'Success' not in wn19_dc_000260_audit.stdout" + tags: patch + when: + - wn19_dc_000260 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - WN19-DC-000260 + - V-93137 + - SRG-OS-000327-GPOS-00127 + - SV-103225r1 + - CCI-000172 + - CCI-002234 + - medium + - NeedToTestDomainController + +- name: "MEDIUM | WN19-DC-000270 | Must be configured to audit DS Access - Directory Service Changes failures." + block: + - name: "MEDIUM | WN19-DC-000270 | AUDIT | Must be configured to audit DS Access - Directory Service Changes failures." + win_shell: AuditPol /get /subcategory:"Directory Service Changes" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: wn19_dc_000270_audit + check_mode: no + changed_when: "'Failure' not in wn19_dc_000270_audit.stdout" + tags: audit + + - name: "MEDIUM | WN19-DC-000270 | PATCH | Must be configured to audit DS Access - Directory Service Changes failures." + win_shell: AuditPol /set /subcategory:"Directory Service Changes" /failure:enable + when: "'Failure' not in wn19_dc_000270_audit.stdout" + tags: patch + when: + - wn19_dc_000270 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - WN19-DC-000270 + - V-93139 + - SRG-OS-000327-GPOS-00127 + - SV-103227r1 + - CCI-000172 + - CCI-002234 + - medium + - NeedToTestDomainController + +- name: "MEDIUM | WN19-DC-000280 | Domain controllers must have a PKI server certificate." + block: + - name: "MEDIUM | WN19-DC-000280 | AUDIT | Domain controllers must have a PKI server certificate." + win_shell: echo true + register: wn19_dc_000280_audit + check_mode: no + changed_when: no + tags: audit + + - name: "MEDIUM | WN19-DC-000280 | PATCH | Domain controllers must have a PKI server certificate." + win_shell: echo true + changed_when: no + tags: patch + when: + - wn19_dc_000280 + - is_implemented + - ansible_windows_domain_role == "Primary domain controller" + tags: + - WN19-DC-000280 + - V-93481 + - SRG-OS-000066-GPOS-00034 + - SV-103567r1 + - CCI-000185 + - medium + +- name: "MEDIUM | WN19-DC-000310 | Active Directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication." + block: + - name: "MEDIUM | WN19-DC-000310 | AUDIT | Active Directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication." + win_shell: echo true + register: wn19_dc_000310_audit + check_mode: no + changed_when: no + tags: audit + + - name: "MEDIUM | WN19-DC-000310 | PATCH | Active Directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication." + win_shell: echo true + changed_when: no + tags: patch + when: + - wn19_dc_000310 + - ansible_windows_domain_role == "Primary domain controller" + - is_implemented + tags: + - WN19-DC-000310 + - V-93441 + - SRG-OS-000105-GPOS-00052 + - SV-103527r1 + - CCI-000765 + - CCI-000766 + - CCI-000767 + - CCI-000768 + - CCI-001948 + - medium + +- name: "MEDIUM | WN19-DC-000320 | Domain controllers must require LDAP access signing." + win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters + state: present + value: LDAPServerIntegrity + data: 2 + datatype: dword + when: + - wn19_dc_000320 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - WN19-DC-000320 + - V-93545 + - SRG-OS-000423-GPOS-00187 + - SV-103631r1 + - CCI-002418 + - CCI-002421 + - medium + - patch + - NeedToTestDomainController + +- name: "MEDIUM | WN19-DC-000330 | Domain controllers must be configured to allow reset of machine account passwords." + win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters + state: present + value: RefusePasswordChange + data: 0 + datatype: dword + when: + - wn19_dc_000330 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - WN19-DC-000330 + - V-93273 + - SRG-OS-000480-GPOS-00227 + - SV-103361r1 + - CCI-000366 + - medium + - patch + - NeedToTestDomainController + +- name: "MEDIUM | WN19-DC-000340 | The Access this computer from the network user right must only be assigned to the Administrators, Authenticated Users, and Enterprise Domain Controllers groups on domain controllers." + win_user_right: + name: SeNetworkLogonRight + users: + - Administrators + - Authenticated Users + - Enterprise Domain Controllers + action: set + when: + - wn19_dc_000340 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - WN19-DC-000340 + - V-92995 + - SRG-OS-000080-GPOS-00048 + - SV-103083r1 + - CCI-000213 + - medium + - patch + - NeedToTestDomainController + +- name: "MEDIUM | WN19-DC-000350 | Add workstations to domain user right must only be assigned to the Administrators group on domain controllers." + win_user_right: + name: SeMachineAccountPrivilege + users: Administrators + action: set + when: + - wn19_dc_000350 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - WN19-DC-000350 + - V-93039 + - SRG-OS-000324-GPOS-00125 + - SV-103127r1 + - CCI-002235 + - medium + - patch + - NeedToTestDomainController + +- name: "MEDIUM | WN19-DC-000360 | Allow log on through Remote Desktop Services user right must only be assigned to the Administrators group on domain controllers." + win_user_right: + name: SeRemoteInteractiveLogonRight + users: Administrators + action: set + when: + - wn19_dc_000360 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - WN19-DC-000360 + - V-92997 + - SRG-OS-000080-GPOS-00048 + - SV-103085r1 + - CCI-000213 + - medium + - patch + - NeedToTestDomainController + +- name: "MEDIUM | WN19-DC-000370 | The Deny access to this computer from the network user right on domain controllers must be configured to prevent unauthenticated access." + win_user_right: + name: SeDenyNetworkLogonRight + users: Guests + action: set + when: + - wn19_dc_000370 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - WN19-DC-000370 + - V-92999 + - SRG-OS-000080-GPOS-00048 + - SV-103087r1 + - CCI-000213 + - medium + - patch + - NeedToTestDomainController + +- name: "MEDIUM | WN19-DC-000380 | The Deny log on as a batch job user right on domain controllers must be configured to prevent unauthenticated access." + win_user_right: + name: SeDenyBatchLogonRight + users: Guests + action: set + when: + - wn19_dc_000380 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - WN19-DC-000380 + - V-93001 + - SRG-OS-000080-GPOS-00048 + - SV-103089r1 + - CCI-000213 + - medium + - patch + - NeedToTestDomainController + +- name: "MEDIUM | WN19-DC-000390 | The Deny log on as a service user right must be configured to include no accounts or groups (blank) on domain controllers." + win_security_policy: + section: Privilege Rights + key: SeDenyServiceLogonRight + value: "" + when: + - wn19_dc_000390 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - WN19-DC-000390 + - V-93003 + - SRG-OS-000080-GPOS-00048 + - SV-103091r1 + - CCI-000213 + - medium + - patch + - NeedToTestDomainController + +- name: "MEDIUM | WN19-DC-000400 | The Deny log on locally user right on domain controllers must be configured to prevent unauthenticated access." + win_user_right: + name: SeDenyInteractiveLogonRight + users: Guests + action: set + when: + - wn19_dc_000400 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - WN19-DC-000400 + - V-93005 + - SRG-OS-000080-GPOS-00048 + - SV-103093r1 + - CCI-000213 + - medium + - patch + - NeedToTestDomainController + +- name: "MEDIUM | WN19-DC-000410 | The Deny log on through Remote Desktop Services user right on domain controllers must be configured to prevent unauthenticated access." + win_user_right: + name: SeDenyRemoteInteractiveLogonRight + users: Guests + action: set + when: + - wn19_dc_000410 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - WN19-DC-000410 + - V-92963 + - SRG-OS-000297-GPOS-00115 + - SV-103051r1 + - CCI-002314 + - medium + - patch + - NeedToTestDomainController + +- name: "MEDIUM | WN19-DC-000420 | The Enable computer and user accounts to be trusted for delegation user right must only be assigned to the Administrators group on domain controllers." + win_user_right: + name: SeEnableDelegationPrivilege + users: Administrators + action: set + when: + - wn19_dc_000420 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - WN19-DC-000420 + - V-93041 + - SRG-OS-000324-GPOS-00125 + - SV-103129r1 + - CCI-002235 + - medium + - patch + - NeedToTestDomainController + +- name: "MEDIUM | WN19-DC-000430 | The password for the krbtgt account on a domain must be reset at least every 180 days." + block: + - name: "MEDIUM | WN19-DC-000430 | AUDIT | The password for the krbtgt account on a domain must be reset at least every 180 days." + win_shell: "Get-ADUser krbtgt -Property PasswordLastSet | Where-Object {$_.PasswordLastSet -lt ((Get-Date).AddDays(-{{ wn19_dc_000430_pass_age }}))} | Select-Object -ExpandProperty PasswordLastSet" + register: wn19_dc_000430_audit + check_mode: no + changed_when: wn19_dc_000430_audit.stdout != "" + tags: audit + + ## this seems highly prone to breakage? its a DC acct, has replicate. if you screw it up, it could stop kerberos tickets and break auth things + ## https://www.kjctech.net/do-you-need-to-update-krbtgt-account-password/ + - name: "MEDIUM | WN19-DC-000430 | PATCH | The password for the krbtgt account on a domain must be reset at least every 180 days." + win_shell: echo true + changed_when: no + when: is_implemented + tags: patch + when: + - wn19_dc_000430 + - ansible_windows_domain_role == "Primary domain controller" + - win2019stig_complexity_high + tags: + - WN19-DC-000430 + - V-93211 + - SRG-OS-000480-GPOS-00227 + - SV-103299r3 + - CCI-000366 + - NeedToTestDomainController + - medium + +- name: "MEDIUM | WN19-EP-000010 | Exploit Protection system-level mitigation, Data Execution Prevention (DEP), must be on." + command: "echo true" + when: + - wn19_ep_000010 + - is_implemented + tags: + - WN19-EP-000010 + - V-93313 + - SRG-OS-000480-GPOS-00227 + - SV-103401r1 + - CCI-000366 + - medium + +- name: "MEDIUM | WN19-EP-000020 | Exploit Protection system-level mitigation, Randomize memory allocations (Bottom-Up ASLR), must be on." + command: "echo true" + when: + - wn19_ep_000020 + - is_implemented + tags: + - WN19-EP-000020 + - V-93565 + - SRG-OS-000433-GPOS-00193 + - SV-103651r1 + - CCI-002824 + - medium + +- name: "MEDIUM | WN19-EP-000030 | Exploit Protection system-level mitigation, Control flow guard (CFG), must be on." + command: "echo true" + when: + - wn19_ep_000030 + - is_implemented + tags: + - WN19-EP-000030 + - V-93315 + - SRG-OS-000480-GPOS-00227 + - SV-103403r1 + - CCI-000366 + - medium + +- name: "MEDIUM | WN19-EP-000040 | Exploit Protection system-level mitigation, Validate exception chains (SEHOP), must be on." + command: "echo true" + when: + - wn19_ep_000040 + - is_implemented + tags: + - WN19-EP-000040 + - V-93317 + - SRG-OS-000480-GPOS-00227 + - SV-103405r1 + - CCI-000366 + - medium + +- name: "MEDIUM | WN19-EP-000050 | Exploit Protection system-level mitigation, Validate heap integrity, must be on." + command: "echo true" + when: + - wn19_ep_000050 + - is_implemented + tags: + - WN19-EP-000050 + - V-93319 + - SRG-OS-000480-GPOS-00227 + - SV-103407r1 + - CCI-000366 + - medium + +- name: "MEDIUM | WN19-EP-000060 | Exploit Protection mitigations must be configured for Acrobat.exe." + command: "echo true" + when: + - wn19_ep_000060 + - is_implemented + tags: + - WN19-EP-000060 + - V-93321 + - SRG-OS-000480-GPOS-00227 + - SV-103409r1 + - CCI-000366 + - medium + +- name: "MEDIUM | WN19-EP-000070 | Exploit Protection mitigations must be configured for AcroRd32.exe." + block: + - name: "MEDIUM | WN19-EP-000070 | AUDIT | Exploit Protection mitigations must be configured for AcroRd32.exe." + win_shell: "echo true" + register: wn19_ep_000070_audit + check_mode: no + changed_when: no + tags: audit + + - name: "MEDIUM | WN19-EP-000070 | PATCH | Exploit Protection mitigations must be configured for AcroRd32.exe." + win_shell: "echo true" + register: wn19_ep_000070_patch + changed_when: wn19_ep_000070_patch.stdout == "SET" + tags: patch + when: + - wn19_ep_000070 + - is_implemented + tags: + - WN19-EP-000070 + - V-93323 + - SRG-OS-000480-GPOS-00227 + - SV-103411r1 + - CCI-000366 + - medium + +- name: "MEDIUM | WN19-EP-000080 | Exploit Protection mitigations must be configured for chrome.exe." + block: + - name: "MEDIUM | WN19-EP-000080 | AUDIT | Exploit Protection mitigations must be configured for chrome.exe." + win_shell: "echo true" + register: wn19_ep_000080_audit + check_mode: no + changed_when: no + tags: audit + + - name: "MEDIUM | WN19-EP-000080 | PATCH | Exploit Protection mitigations must be configured for chrome.exe." + win_shell: "echo true" + register: wn19_ep_000080_patch + changed_when: wn19_ep_000080_patch.stdout == "SET" + tags: patch + when: + - wn19_ep_000080 + - is_implemented + tags: + - WN19-EP-000080 + - V-93325 + - SRG-OS-000480-GPOS-00227 + - SV-103413r1 + - CCI-000366 + - medium + +- name: "MEDIUM | WN19-EP-000090 | Exploit Protection mitigations must be configured for EXCEL.EXE." + block: + - name: "MEDIUM | WN19-EP-000090 | AUDIT | Exploit Protection mitigations must be configured for EXCEL.EXE." + win_shell: "echo true" + register: wn19_ep_000090_audit + check_mode: no + changed_when: no + tags: audit + + - name: "MEDIUM | WN19-EP-000090 | PATCH | Exploit Protection mitigations must be configured for EXCEL.EXE." + win_shell: "echo true" + register: wn19_ep_000090_patch + changed_when: wn19_ep_000090_patch.stdout == "SET" + tags: patch + when: + - wn19_ep_000090 + - is_implemented + tags: + - WN19-EP-000090 + - V-93327 + - SRG-OS-000480-GPOS-00227 + - SV-103415r1 + - CCI-000366 + - medium + +- name: "MEDIUM | WN19-EP-000100 | Exploit Protection mitigations must be configured for firefox.exe." + block: + - name: "MEDIUM | WN19-EP-000100 | AUDIT | Exploit Protection mitigations must be configured for firefox.exe." + win_shell: "echo true" + register: wn19_ep_000100_audit + check_mode: no + changed_when: no + tags: audit + + - name: "MEDIUM | WN19-EP-000100 | PATCH | Exploit Protection mitigations must be configured for firefox.exe." + win_shell: "echo true" + register: wn19_ep_000100_patch + changed_when: wn19_ep_000100_patch.stdout == "SET" + tags: patch + when: + - wn19_ep_000100 + - is_implemented + tags: + - WN19-EP-000100 + - V-93329 + - SRG-OS-000480-GPOS-00227 + - SV-103417r1 + - CCI-000366 + - medium + +- name: "MEDIUM | WN19-EP-000110 | Exploit Protection mitigations must be configured for FLTLDR.EXE." + block: + - name: "MEDIUM | WN19-EP-000110 | AUDIT | Exploit Protection mitigations must be configured for FLTLDR.EXE." + win_shell: "echo true" + register: wn19_ep_000110_audit + check_mode: no + changed_when: no + tags: audit + + - name: "MEDIUM | WN19-EP-000110 | PATCH | Exploit Protection mitigations must be configured for FLTLDR.EXE." + win_shell: "echo true" + register: wn19_ep_000110_patch + changed_when: wn19_ep_000110_patch.stdout == "SET" + tags: patch + when: + - wn19_ep_000110 + - is_implemented + tags: + - WN19-EP-000110 + - V-93331 + - SRG-OS-000480-GPOS-00227 + - SV-103419r1 + - CCI-000366 + - medium + +- name: "MEDIUM | WN19-EP-000120 | Exploit Protection mitigations must be configured for GROOVE.EXE." + block: + - name: "MEDIUM | WN19-EP-000120 | AUDIT | Exploit Protection mitigations must be configured for GROOVE.EXE." + win_shell: "echo true" + register: wn19_ep_000120_audit + check_mode: no + changed_when: no + tags: audit + + - name: "MEDIUM | WN19-EP-000120 | PATCH | Exploit Protection mitigations must be configured for GROOVE.EXE." + win_shell: "echo true" + register: wn19_ep_000120_patch + changed_when: wn19_ep_000120_patch.stdout == "SET" + tags: patch + when: + - wn19_ep_000120 + - is_implemented + tags: + - WN19-EP-000120 + - V-93333 + - SRG-OS-000480-GPOS-00227 + - SV-103421r1 + - CCI-000366 + - medium + +- name: "MEDIUM | WN19-EP-000130 | Exploit Protection mitigations must be configured for iexplore.exe." + block: + - name: "MEDIUM | WN19-EP-000130 | AUDIT | Exploit Protection mitigations must be configured for iexplore.exe." + win_shell: "echo true" + register: wn19_ep_000130_audit + check_mode: no + changed_when: no + tags: audit + + - name: "MEDIUM | WN19-EP-000130 | PATCH | Exploit Protection mitigations must be configured for iexplore.exe." + win_shell: "echo true" + register: wn19_ep_000130_patch + changed_when: wn19_ep_000130_patch.stdout == "SET" + tags: patch + when: + - wn19_ep_000130 + - is_implemented + tags: + - WN19-EP-000130 + - V-93335 + - SRG-OS-000480-GPOS-00227 + - SV-103423r1 + - CCI-000366 + - medium + +- name: "MEDIUM | WN19-EP-000140 | Exploit Protection mitigations must be configured for INFOPATH.EXE." + block: + - name: "MEDIUM | WN19-EP-000140 | AUDIT | Exploit Protection mitigations must be configured for INFOPATH.EXE." + win_shell: "echo true" + register: wn19_ep_000140_audit + check_mode: no + changed_when: no + tags: audit + + - name: "MEDIUM | WN19-EP-000140 | PATCH | Exploit Protection mitigations must be configured for INFOPATH.EXE." + win_shell: "echo true" + register: wn19_ep_000140_patch + changed_when: wn19_ep_000140_patch.stdout == "SET" + tags: patch + when: + - wn19_ep_000140 + - is_implemented + tags: + - WN19-EP-000140 + - V-93337 + - SRG-OS-000480-GPOS-00227 + - SV-103425r1 + - CCI-000366 + - medium + +- name: "MEDIUM | WN19-EP-000150 | Exploit Protection mitigations must be configured for java.exe, javaw.exe, and javaws.exe." + block: + - name: "MEDIUM | WN19-EP-000150 | AUDIT | Exploit Protection mitigations must be configured for java.exe, javaw.exe, and javaws.exe." + win_shell: "echo true" + register: wn19_ep_000150_audit + check_mode: no + changed_when: no + tags: audit + + - name: "MEDIUM | WN19-EP-000150 | PATCH | Exploit Protection mitigations must be configured for java.exe, javaw.exe, and javaws.exe." + win_shell: "echo true" + register: wn19_ep_000150_patch + changed_when: wn19_ep_000150_patch.stdout == "SET" + tags: patch + when: + - wn19_ep_000150 + - is_implemented + tags: + - WN19-EP-000150 + - V-93339 + - SRG-OS-000480-GPOS-00227 + - SV-103427r1 + - CCI-000366 + - patch + +- name: "MEDIUM | WN19-EP-000160 | Exploit Protection mitigations must be configured for lync.exe." + block: + - name: "MEDIUM | WN19-EP-000160 | AUDIT | Exploit Protection mitigations must be configured for lync.exe." + win_shell: "echo true" + register: wn19_ep_000160_audit + check_mode: no + changed_when: no + tags: audit + + - name: "MEDIUM | WN19-EP-000160 | PATCH | Exploit Protection mitigations must be configured for lync.exe." + win_shell: "echo true" + register: wn19_ep_000160_patch + changed_when: wn19_ep_000160_patch.stdout == "SET" + tags: patch + when: + - wn19_ep_000160 + - is_implemented + tags: + - WN19-EP-000160 + - V-93341 + - SRG-OS-000480-GPOS-00227 + - SV-103429r1 + - CCI-000366 + - medium + +- name: "MEDIUM | WN19-EP-000170 | Exploit Protection mitigations must be configured for MSACCESS.EXE." + block: + - name: "MEDIUM | WN19-EP-000170 | AUDIT | Exploit Protection mitigations must be configured for MSACCESS.EXE." + win_shell: "echo true" + register: wn19_ep_000170_audit + check_mode: no + changed_when: no + tags: audit + + - name: "MEDIUM | WN19-EP-000170 | PATCH | Exploit Protection mitigations must be configured for MSACCESS.EXE." + win_shell: "echo true" + register: wn19_ep_000170_patch + changed_when: wn19_ep_000170_patch.stdout == "SET" + tags: patch + when: + - wn19_ep_000170 + - is_implemented + tags: + - WN19-EP-000170 + - V-93343 + - SRG-OS-000480-GPOS-00227 + - SV-103431r1 + - CCI-000366 + - medium + +- name: "MEDIUM | WN19-EP-000180 | Exploit Protection mitigations must be configured for MSPUB.EXE." + block: + - name: "MEDIUM | WN19-EP-000180 | AUDIT | Exploit Protection mitigations must be configured for MSPUB.EXE." + win_shell: "echo true" + register: wn19_ep_000180_audit + check_mode: no + changed_when: no + tags: audit + + - name: "MEDIUM | WN19-EP-000180 | PATCH | Exploit Protection mitigations must be configured for MSPUB.EXE." + win_shell: "echo true" + register: wn19_ep_000180_patch + changed_when: wn19_ep_000180_patch.stdout == "SET" + tags: patch + when: + - wn19_ep_000180 + - is_implemented + tags: + - WN19-EP-000180 + - V-93345 + - SRG-OS-000480-GPOS-00227 + - SV-103433r1 + - CCI-000366 + - medium + +- name: "MEDIUM | WN19-EP-000190 | Exploit Protection mitigations must be configured for OIS.EXE." + block: + - name: "MEDIUM | WN19-EP-000190 | AUDIT | Exploit Protection mitigations must be configured for OIS.EXE." + win_shell: "echo true" + register: wn19_ep_000190_audit + check_mode: no + changed_when: no + tags: audit + + - name: "MEDIUM | WN19-EP-000190 | PATCH | Exploit Protection mitigations must be configured for OIS.EXE." + win_shell: "echo true" + register: wn19_ep_000190_patch + changed_when: wn19_ep_000190_patch.stdout == "SET" + tags: patch + when: + - wn19_ep_000190 + - is_implemented + tags: + - WN19-EP-000190 + - V-93347 + - SRG-OS-000480-GPOS-00227 + - SV-103435r1 + - CCI-000366 + - medium + +- name: "MEDIUM | WN19-EP-000200 | Exploit Protection mitigations must be configured for OneDrive.exe." + block: + - name: "MEDIUM | WN19-EP-000200 | AUDIT | Exploit Protection mitigations must be configured for OneDrive.exe." + win_shell: "echo true" + register: wn19_ep_000200_audit + check_mode: no + changed_when: no + tags: audit + + - name: "MEDIUM | WN19-EP-000200 | PATCH | Exploit Protection mitigations must be configured for OneDrive.exe." + win_shell: "echo true" + register: wn19_ep_000200_patch + changed_when: wn19_ep_000200_patch.stdout == "SET" + tags: patch + when: + - wn19_ep_000200 + - is_implemented + tags: + - WN19-EP-000200 + - V-93349 + - SRG-OS-000480-GPOS-00227 + - SV-103437r1 + - CCI-000366 + - medium + +- name: "MEDIUM | WN19-EP-000210 | Exploit Protection mitigations must be configured for OUTLOOK.EXE." + block: + - name: "MEDIUM | WN19-EP-000210 | AUDIT | Exploit Protection mitigations must be configured for OUTLOOK.EXE." + win_shell: "echo true" + register: wn19_ep_000210_audit + check_mode: no + changed_when: no + tags: audit + + - name: "MEDIUM | WN19-EP-000210 | PATCH | Exploit Protection mitigations must be configured for OUTLOOK.EXE." + win_shell: "echo true" + register: wn19_ep_000210_patch + changed_when: wn19_ep_000210_patch.stdout == "SET" + tags: patch + when: + - wn19_ep_000210 + - is_implemented + tags: + - WN19-EP-000210 + - V-93351 + - SRG-OS-000480-GPOS-00227 + - SV-103439r1 + - CCI-000366 + - medium + +- name: "MEDIUM | WN19-EP-000220 | Exploit Protection mitigations must be configured for plugin-container.exe." + block: + - name: "MEDIUM | WN19-EP-000220 | AUDIT | Exploit Protection mitigations must be configured for plugin-container.exe." + win_shell: "echo true" + register: wn19_ep_000220_audit + check_mode: no + changed_when: no + tags: audit + + - name: "MEDIUM | WN19-EP-000220 | PATCH | Exploit Protection mitigations must be configured for plugin-container.exe." + win_shell: "echo true" + register: wn19_ep_000220_patch + changed_when: wn19_ep_000220_patch.stdout == "SET" + tags: patch + when: + - wn19_ep_000220 + - is_implemented + tags: + - WN19-EP-000220 + - V-93353 + - SRG-OS-000480-GPOS-00227 + - SV-103441r1 + - CCI-000366 + - medium + +- name: "MEDIUM | WN19-EP-000230 | Exploit Protection mitigations must be configured for POWERPNT.EXE." + block: + - name: "MEDIUM | WN19-EP-000230 | AUDIT | Exploit Protection mitigations must be configured for POWERPNT.EXE." + win_shell: "echo true" + register: wn19_ep_000230_audit + check_mode: no + changed_when: no + tags: audit + + - name: "MEDIUM | WN19-EP-000230 | PATCH | Exploit Protection mitigations must be configured for POWERPNT.EXE." + win_shell: "echo true" + register: wn19_ep_000230_patch + changed_when: wn19_ep_000230_patch.stdout == "SET" + tags: patch + when: + - wn19_ep_000230 + - is_implemented + tags: + - WN19-EP-000230 + - V-93355 + - SRG-OS-000480-GPOS-00227 + - SV-103443r1 + - CCI-000366 + - medium + +- name: "MEDIUM | WN19-EP-000240 | Exploit Protection mitigations must be configured for PPTVIEW.EXE." + block: + - name: "MEDIUM | WN19-EP-000240 | AUDIT | Exploit Protection mitigations must be configured for PPTVIEW.EXE." + win_shell: "echo true" + register: wn19_ep_000240_audit + check_mode: no + changed_when: no + tags: audit + + - name: "MEDIUM | WN19-EP-000240 | PATCH | Exploit Protection mitigations must be configured for PPTVIEW.EXE." + win_shell: "echo true" + register: wn19_ep_000240_patch + changed_when: wn19_ep_000240_patch.stdout == "SET" + tags: patch + when: + - wn19_ep_000240 + - is_implemented + tags: + - WN19-EP-000240 + - V-93357 + - SRG-OS-000480-GPOS-00227 + - SV-103445r1 + - CCI-000366 + - medium + +- name: "MEDIUM | WN19-EP-000250 | Exploit Protection mitigations must be configured for VISIO.EXE." + block: + - name: "MEDIUM | WN19-EP-000250 | AUDIT | Exploit Protection mitigations must be configured for VISIO.EXE." + win_shell: "echo true" + register: wn19_ep_000250_audit + check_mode: no + changed_when: no + tags: audit + + - name: "MEDIUM | WN19-EP-000250 | PATCH | Exploit Protection mitigations must be configured for VISIO.EXE." + win_shell: "echo true" + register: wn19_ep_000250_patch + changed_when: wn19_ep_000250_patch.stdout == "SET" + tags: patch + when: + - wn19_ep_000250 + - is_implemented + tags: + - WN19-EP-000250 + - V-93357 + - SRG-OS-000480-GPOS-00227 + - SV-103445r1 + - CCI-000366 + - medium + +- name: "MEDIUM | WN19-EP-000260 | Exploit Protection mitigations must be configured for VPREVIEW.EXE." + block: + - name: "MEDIUM | WN19-EP-000260 | AUDIT | Exploit Protection mitigations must be configured for VPREVIEW.EXE." + win_shell: "echo true" + register: wn19_ep_000260_audit + check_mode: no + changed_when: no + tags: audit + + - name: "MEDIUM | WN19-EP-000260 | PATCH | Exploit Protection mitigations must be configured for VPREVIEW.EXE." + win_shell: "echo true" + register: wn19_ep_000260_patch + changed_when: wn19_ep_000260_patch.stdout == "SET" + tags: patch + when: + - wn19_ep_000260 + - is_implemented + tags: + - WN19-EP-000260 + - V-93361 + - SRG-OS-000480-GPOS-00227 + - SV-103449r1 + - CCI-000366 + - medium + +- name: "MEDIUM | WN19-EP-000270 | Exploit Protection mitigations must be configured for WINWORD.EXE." + block: + - name: "MEDIUM | WN19-EP-000270 | AUDIT | Exploit Protection mitigations must be configured for WINWORD.EXE." + win_shell: "echo true" + register: wn19_ep_000270_audit + check_mode: no + changed_when: no + tags: audit + + - name: "MEDIUM | WN19-EP-000270 | PATCH | Exploit Protection mitigations must be configured for WINWORD.EXE." + win_shell: "echo true" + register: wn19_ep_000270_patch + changed_when: wn19_ep_000270_patch.stdout == "SET" + tags: patch + when: + - wn19_ep_000270 + - is_implemented + tags: + - WN19-EP-000270 + - V-93363 + - SRG-OS-000480-GPOS-00227 + - SV-103451r1 + - CCI-000366 + - medium + +- name: "MEDIUM | WN19-EP-000280 | Exploit Protection mitigations must be configured for wmplayer.exe." + block: + - name: "MEDIUM | WN19-EP-000280 | AUDIT | Exploit Protection mitigations must be configured for wmplayer.exe." + win_shell: "echo true" + register: wn19_ep_000280_audit + check_mode: no + changed_when: no + tags: audit + + - name: "MEDIUM | WN19-EP-000280 | PATCH | Exploit Protection mitigations must be configured for wmplayer.exe." + win_shell: "echo true" + register: wn19_ep_000280_patch + changed_when: wn19_ep_000280_patch.stdout == "SET" + tags: patch + when: + - wn19_ep_000280 + - is_implemented + tags: + - WN19-EP-000280 + - V-93365 + - SRG-OS-000480-GPOS-00227 + - SV-103453r1 + - CCI-000366 + - medium + +- name: "MEDIUM | WN19-EP-000290 | Exploit Protection mitigations must be configured for wordpad.exe." + block: + - name: "MEDIUM | WN19-EP-000290 | AUDIT | Exploit Protection mitigations must be configured for wordpad.exe." + win_shell: "echo true" + register: wn19_ep_000290_audit + check_mode: no + changed_when: no + tags: audit + + - name: "MEDIUM | WN19-EP-000290 | PATCH | Exploit Protection mitigations must be configured for wordpad.exe." + win_shell: "echo true" + register: wn19_ep_000290_patch + changed_when: wn19_ep_000290_patch.stdout == "SET" + tags: patch + when: + - wn19_ep_000290 + - is_implemented + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - WN19-EP-000290 + - V-93367 + - SRG-OS-000480-GPOS-00227 + - SV-103455r1 + - CCI-000366 + - medium + +- name: "MEDIUM | WN19-MS-000020 | Local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems." + win_regedit: + path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System + state: present + value: LocalAccountTokenFilterPolicy + data: 0 + datatype: dword + when: + - wn19_ms_000020 + - ansible_windows_domain_role == "Member server" + tags: + - WN19-MS-000020 + - V-93519 + - SRG-OS-000134-GPOS-00068 + - SV-103605r1 + - CCI-001084 + - medium + - patch + - NeedToTestMemberServer + +- name: "MEDIUM | WN19-MS-000030 | Local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems." + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System + state: present + value: EnumerateLocalUsers + data: 0 + datatype: dword + when: + - wn19_ms_000030 + - ansible_windows_domain_role == "Member server" + tags: + - WN19-MS-000030 + - V-93419 + - SRG-OS-000095-GPOS-00049 + - SV-103505r1 + - CCI-000381 + - medium + - patch + - NeedToTestMemberServer + +- name: "MEDIUM | WN19-MS-000040 | Unauthenticated Remote Procedure Call (RPC) clients must be restricted from connecting to the RPC server." + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Rpc + state: present + value: RestrictRemoteClients + data: 1 + datatype: dword + when: + - wn19_ms_000040 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - WN19-MS-000040 + - V-93453 + - SRG-OS-000379-GPOS-00164 + - SV-103539r1 + - CCI-001967 + - medium + - patch + +- name: "MEDIUM | WN19-MS-000050 | Caching of logon credentials must be limited." + win_regedit: + path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon + state: present + value: CachedLogonsCount + data: 4 + datatype: dword + when: + - wn19_ms_000050 + - ansible_windows_domain_role == "Member server" + tags: + - WN19-MS-000050 + - V-93275 + - SRG-OS-000480-GPOS-00227 + - SV-103363r1 + - CCI-000366 + - medium + - patch + +- name: "MEDIUM | WN19-MS-000060 | Remote calls to the Security Account Manager (SAM) must be restricted to Administrators." + win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa + state: present + value: RestrictRemoteSAM + data: O:BAG:BAD:(A;;RC;;;BA) + datatype: string + when: + - wn19_ms_000060 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - WN19-MS-000060 + - V-93045 + - SRG-OS-000324-GPOS-00125 + - SV-103133r1 + - CCI-002235 + - medium + - patch + +- name: "MEDIUM | WN19-MS-000070 | Access this computer from the network user right must only be assigned to the Administrators and Authenticated Users groups on domain-joined member servers and standalone systems." + win_user_right: + name: SeNetworkLogonRight + users: + - Administrators + - Authenticated Users + action: set + when: + - wn19_ms_000070 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - WN19-MS-000070 + - V-93007 + - SRG-OS-000080-GPOS-00048 + - SV-103095r1 + - CCI-000213 + - medium + - patch + +- name: "MEDIUM | WN19-MS-000080 | Deny access to this computer from the network user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and local accounts and from unauthenticated access on all systems." + block: + - name: "MEDIUM | WN19-MS-000080 | AUDIT | Deny access to this computer from the network user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and local accounts and from unauthenticated access on all systems." + win_user_right: + name: SeDenyNetworkLogonRight + users: + - Guests + - Enterprise Admins + - Domain Admins + - Local account + - Local account and member of Administrators group + action: set + when: ansible_windows_domain_role == "Member server" + tags: audit + + - name: "MEDIUM | WN19-MS-000080 | PATCH | Deny access to this computer from the network user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and local accounts and from unauthenticated access on all systems." + win_user_right: + name: SeDenyNetworkLogonRight + users: Guests + action: set + when: not ansible_windows_domain_member + tags: patch + when: + - wn19_ms_000080 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - WN19-MS-000080 + - V-93009 + - SRG-OS-000080-GPOS-00048 + - SV-103097r1 + - CCI-000213 + - medium + - borked_if_ansible_svc_is_admin_domain_member_fails_after + - NeedToTestMemberServer + +- name: "MEDIUM | WN19-MS-000090 | Deny log on as a batch job user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems." + block: + - name: "MEDIUM | WN19-MS-000090 | DOMAIN MEMBER | Deny log on as a batch job user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems." + win_user_right: + name: SeDenyBatchLogonRight + users: + - Enterprise Admins + - Domain Admins + - Guests + action: set + when: ansible_windows_domain_role == "Member server" + + - name: "MEDIUM | WN19-MS-000090 | STAND-ALONE | Deny log on as a batch job user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems." + win_user_right: + name: SeDenyBatchLogonRight + users: + - Guests + action: set + when: not ansible_windows_domain_member + when: wn19_ms_000090 + tags: + - WN19-MS-000090 + - V-93011 + - SRG-OS-000080-GPOS-00048 + - SV-103099r1 + - CCI-000213 + - medium + - patch + - NeedToTestMemberServer + +- name: "MEDIUM | WN19-MS-000100 | Deny log on as a service user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts. No other groups or accounts must be assigned this right." + win_user_right: + name: SeDenyServiceLogonRight + users: + - Enterprise Admins + - Domain Admins + action: set + when: + - wn19_ms_000100 + - ansible_windows_domain_role == "Member server" + tags: + - WN19-MS-000100 + - V-93013 + - SRG-OS-000080-GPOS-00048 + - SV-103101r1 + - CCI-000213 + - medium + - patch + - NeedToTestMemberServer + +- name: "MEDIUM | WN19-MS-000110 | Deny log on locally user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems." + block: + - name: "MEDIUM | WN19-MS-000110 | DOMAIN MEMBER | Deny log on locally user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems." + win_user_right: + name: SeDenyInteractiveLogonRight + users: + - Guests + - Enterprise Admins + - Domain Admins + action: set + when: ansible_windows_domain_role == "Member server" + + - name: "MEDIUM | WN19-MS-000110 | STAND-ALONE | Deny log on locally user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems." + win_user_right: + name: SeDenyInteractiveLogonRight + users: + - Guests + action: set + when: not ansible_windows_domain_member + when: wn19_ms_000110 + tags: + - WN19-MS-000110 + - V-93015 + - SRG-OS-000080-GPOS-00048 + - SV-103103r1 + - CCI-000213 + - medium + - patch + - NeedToTestMemberServer + +- name: "MEDIUM | WN19-MS-000120 | Deny log on through Remote Desktop Services user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and all local accounts and from unauthenticated access on all systems." + block: + - name: "MEDIUM | WN19-MS-000120 | DOMAIN MEMBER | Deny log on through Remote Desktop Services user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and all local accounts and from unauthenticated access on all systems." + win_user_right: + name: SeDenyRemoteInteractiveLogonRight + users: + - Guests + - Local account + - Enterprise Admins + - Domain Admins + action: set + when: ansible_windows_domain_role == "Member server" + + - name: "MEDIUM | WN19-MS-000120 | STAND-ALONE | Deny log on through Remote Desktop Services user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and all local accounts and from unauthenticated access on all systems." + win_user_right: + name: SeDenyRemoteInteractiveLogonRight + users: + - Guests + action: set + when: not ansible_windows_domain_member + when: wn19_ms_000120 + tags: + - WN19-MS-000120 + - V-92965 + - SRG-OS-000297-GPOS-00115 + - SV-103053r1 + - CCI-002314 + - medium + - patch + - NeedToTestMemberServer + +- name: "MEDIUM | WN19-MS-000130 | Enable computer and user accounts to be trusted for delegation user right must not be assigned to any groups or accounts on domain-joined member servers and standalone systems." + win_security_policy: + section: Privilege Rights + key: SeEnableDelegationPrivilege + value: "" + when: + - wn19_ms_000130 + tags: + - WN19-MS-000130 + - V-93047 + - SRG-OS-000324-GPOS-00125 + - SV-103135r1 + - CCI-002235 + - medium + - patch + +- name: "MEDIUM | WN19-PK-000010 | Must have the DoD Root Certificate Authority (CA) certificates installed in the Trusted Root Store." + block: + - name: "MEDIUM | WN19-PK-000010 | AUDIT | Must have the DoD Root Certificate Authority (CA) certificates installed in the Trusted Root Store." + win_shell: Get-ChildItem -Path Cert:Localmachine\root | Where Subject -Like "*DoD*" | FL Subject, Thumbprint, NotAfter + register: wn19_PK_000010_audit + check_mode: no + changed_when: no + tags: audit + when: is_implemented + tags: + - WN19-PK-000010 + - V-93487 + - SRG-OS-000066-GPOS-00034 + - SV-103573r1 + - CCI-000185 + - CCI-002470 + - medium + - patch + +- name: "MEDIUM | WN19-PK-000020 | Must have the DoD Interoperability Root Certificate Authority (CA) cross-certificates installed in the Untrusted Certificates Store on unclassified systems." + block: + - name: "MEDIUM | WN19-PK-000020 | AUDIT | Must have the DoD Interoperability Root Certificate Authority (CA) cross-certificates installed in the Untrusted Certificates Store on unclassified systems." + win_shell: echo true + register: wn19_pk_000020_audit + check_mode: no + changed_when: no + tags: audit + + - name: "MEDIUM | WN19-PK-000020 | PATCH | Must have the DoD Interoperability Root Certificate Authority (CA) cross-certificates installed in the Untrusted Certificates Store on unclassified systems." + win_shell: echo true + changed_when: no + tags: patch + when: + - wn19_pk_000020 + - is_implemented + tags: + - WN19-PK-000020 + - V-93489 + - SRG-OS-000066-GPOS-00034 + - SV-103575r1 + - CCI-000185 + - CCI-002470 + - medium + +- name: "MEDIUM | WN19-PK-000030 | Must have the US DoD CCEB Interoperability Root CA cross-certificates in the Untrusted Certificates Store on unclassified systems." + block: + - name: "MEDIUM | WN19-PK-000030 | AUDIT | Must have the US DoD CCEB Interoperability Root CA cross-certificates in the Untrusted Certificates Store on unclassified systems." + win_shell: Get-ChildItem -Path Cert:Localmachine\disallowed | Where Issuer -Like "*CCEB Interoperability*" | FL Subject, Issuer, Thumbprint, NotAfter + register: wn19_pk_000030_audit + check_mode: no + changed_when: no + tags: audit + + - name: "MEDIUM | WN19-PK-000030 | PATCH | Must have the US DoD CCEB Interoperability Root CA cross-certificates in the Untrusted Certificates Store on unclassified systems." + win_shell: echo true + changed_when: no + tags: patch + when: is_implemented + when: wn19_pk_000030 + tags: + - WN19-PK-000030 + - V-93491 + - SRG-OS-000066-GPOS-00034 + - SV-103577r1 + - CCI-000185 + - CCI-002470 + - medium + +- name: "MEDIUM | WN19-SO-000010 | Must have the built-in guest account disabled." + win_security_policy: + section: System Access + key: EnableGuestAccount + value: 0 + when: wn19_so_000010 + tags: + - WN19-SO-000010 + - V-93497 + - SRG-OS-000121-GPOS-00062 + - SV-103583r1 + - CCI-000804 + - medium + - patch + +- name: "MEDIUM | WN19-SO-000020 | Must prevent local accounts with blank passwords from being used from the network." + win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa + state: present + value: LimitBlankPasswordUse + data: 1 + datatype: string + when: wn19_so_000020 + tags: + - WN19-SO-000020 + - V-93279 + - SV-103367r1 + - SRG-OS-000480-GPOS-00227 + - CCI-000366 + - medium + - patch + +- name: "MEDIUM | WN19-SO-000030 | Built-in administrator account must be renamed." + win_security_policy: + section: System Access + key: NewAdministratorName + value: "{{ wn19_so_000030_newadministratorname }}" + when: wn19_so_000030 + tags: + - WN19-SO-000030 + - V-93281 + - SRG-OS-000480-GPOS-00227 + - SV-103369r1 + - CCI-000366 + - medium + - patch + +- name: "MEDIUM | WN19-SO-000040 | Built-in guest account must be renamed." + win_security_policy: + section: System Access + key: NewGuestName + value: "{{ wn19_so_000040_newguestname }}" + when: wn19_so_000040 + tags: + - WN19-SO-000040 + - V-93283 + - SRG-OS-000480-GPOS-00227 + - SV-103371r1 + - CCI-000366 + - medium + - patch + +- name: "MEDIUM | WN19-SO-000050 | Must force audit policy subcategory settings to override audit policy category settings." + win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ + state: present + value: SCENoApplyLegacyAuditPolicy + data: 1 + datatype: dword + when: wn19_so_000050 + tags: + - WN19-SO-000050 + - V-93151 + - SRG-OS-000062-GPOS-00031 + - SV-103239r1 + - CCI-000169 + - medium + - patch + +- name: "MEDIUM | WN19-SO-000060 | Setting Domain member: Digitally encrypt or sign secure channel data (always) must be configured to Enabled." + win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters + state: present + value: RequireSignOrSeal + data: 1 + datatype: dword + when: + - wn19_so_000060 + - ansible_windows_domain_role == "Member server" + tags: + - WN19-SO-000060 + - V-93547 + - SRG-OS-000423-GPOS-00187 + - SV-103633r1 + - CCI-002418 + - CCI-002421 + - medium + - patch + - NeedToTestMemberServer + +- name: "MEDIUM | WN19-SO-000070 | The setting Domain member: Digitally encrypt secure channel data (when possible) must be configured to enabled." + win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters + state: present + value: SealSecureChannel + data: 1 + datatype: dword + when: + - wn19_so_000070 + - ansible_windows_domain_role == "Member server" + tags: + - WN19-SO-000070 + - V-93549 + - SRG-OS-000423-GPOS-00187 + - SV-103635r1 + - CCI-002421 + - CCI-002418 + - medium + - patch + - NeedToTestMemberServer + +- name: "MEDIUM | WN19-SO-000080 | The setting Domain member: Digitally sign secure channel data (when possible) must be configured to Enabled." + win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters + state: present + value: SignSecureChannel + data: 1 + datatype: dword + when: + - wn19_so_000080 + - ansible_windows_domain_role == "Member server" + tags: + - WN19-SO-000080 + - V-93551 + - SRG-OS-000423-GPOS-00187 + - SV-103637r1 + - CCI-002418 + - CCI-002421 + - medium + - patch + - NeedToTestMemberServer + +- name: "MEDIUM | WN19-SO-000090 | Computer account password must not be prevented from being reset." + win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters + state: present + value: DisablePasswordChange + data: 0 + datatype: dword + when: wn19_so_000090 + tags: + - WN19-SO-000090 + - V-93455 + - SRG-OS-000379-GPOS-00164 + - SV-103541r1 + - CCI-001967 + - medium + - patch + +- name: "MEDIUM | WN19-SO-000100 | Maximum age for machine account passwords must be configured to 30 days or less." + win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters + state: present + value: MaximumPasswordAge + data: 30 + datatype: dword + when: wn19_so_000100 + tags: + - WN19-SO-000100 + - V-93285 + - SRG-OS-000480-GPOS-00227 + - SV-103373r1 + - CCI-000366 + - medium + - patch + +- name: "MEDIUM | WN19-SO-000110 | Must be configured to require a strong session key." + win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters + state: present + value: RequireStrongKey + data: 1 + datatype: dword + when: wn19_so_000110 + tags: + - WN19-SO-000110 + - V-93553 + - SRG-OS-000423-GPOS-00187 + - SV-103639r1 + - CCI-002418 + - CCI-002421 + - medium + - patch + +- name: "MEDIUM | WN19-SO-000120 | Machine inactivity limit must be set to 15 minutes or less, locking the system with the screen saver." + win_regedit: + path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System + state: present + value: InactivityTimeoutSecs + data: 900 + datatype: dword + when: wn19_so_000120 + tags: + - WN19-SO-000120 + - V-92961 + - SRG-OS-000028-GPOS-00009 + - SV-103049r1 + - CCI-000056 + - CCI-000057 + - CCI-000060 + - medium + - patch + +- name: "MEDIUM | WN19-SO-000130 | Required legal notice must be configured to display before console logon." + win_regedit: + path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System + state: present + value: LegalNoticeText + data: "{{ wn19_so_000130_legalnoticetext }}" + datatype: string + when: wn19_so_000130 + tags: + - WN19-SO-000130 + - V-93147 + - SRG-OS-000023-GPOS-00006 + - SV-103235r1 + - CCI-000048 + - CCI-000050 + - CCI-001384 + - CCI-001385 + - CCI-001386 + - CCI-001387 + - CCI-001388 + - medium + - patch + - borked_regkey_casesensitive + +- name: "MEDIUM | WN19-SO-000150 | Smart Card removal option must be configured to Force Logoff or Lock Workstation." + win_regedit: + path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon + state: present + value: scremoveoption + data: 1 + datatype: string + when: wn19_so_000150 + tags: + - WN19-SO-000150 + - V-93287 + - SRG-OS-000480-GPOS-00227 + - SV-103375r1 + - CCI-000366 + - medium + - patch + +- name: "MEDIUM | WN19-SO-000160 | Setting Microsoft network client: Digitally sign communications (always) must be configured to Enabled." + win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters + state: present + value: RequireSecuritySignature + data: 1 + datatype: dword + when: wn19_so_000160 + tags: + - WN19-SO-000160 + - V-93555 + - SRG-OS-000423-GPOS-00187 + - SV-103641r1 + - CCI-002418 + - CCI-002421 + - medium + - patch + +- name: "MEDIUM | WN19-SO-000170 | Setting Microsoft network client: Digitally sign communications (if server agrees) must be configured to Enabled." + win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters + state: present + value: EnableSecuritySignature + data: 1 + datatype: dword + when: wn19_so_000170 + tags: + - WN19-SO-000170 + - V-93557 + - SRG-OS-000423-GPOS-00187 + - SV-103643r1 + - CCI-002421 + - CCI-002418 + - medium + - patch + +- name: "MEDIUM | WN19-SO-000180 | Unencrypted passwords must not be sent to third-party Server Message Block (SMB) servers." + win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters + state: present + value: EnablePlainTextPassword + data: 0 + datatype: dword + when: wn19_so_000180 + tags: + - WN19-SO-000180 + - V-93469 + - SRG-OS-000074-GPOS-00042 + - SV-103555r1 + - CCI-000197 + - medium + - patch + +- name: "MEDIUM | WN19-SO-000190 | Setting Microsoft network server: Digitally sign communications (always) must be configured to Enabled." + win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters + state: present + value: RequireSecuritySignature + data: 1 + datatype: dword + when: wn19_so_000190 + tags: + - WN19-SO-000190 + - V-93559 + - SRG-OS-000423-GPOS-00187 + - SV-103645r1 + - CCI-002418 + - CCI-002421 + - medium + - patch + - borked_regkey_casesensitive + +- name: "MEDIUM | WN19-SO-000200 | The setting Microsoft network server: Digitally sign communications (if client agrees) must be configured to Enabled." + win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters + state: present + value: EnableSecuritySignature + data: 1 + datatype: dword + when: wn19_so_000200 + tags: + - WN19-SO-000200 + - V-93561 + - SRG-OS-000423-GPOS-00187 + - SV-103647r1 + - CCI-002418 + - CCI-002421 + - medium + - patch + - borked_regkey_casesensitive + + +- name: "MEDIUM | WN19-SO-000260 | Services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity instead of authenticating anonymously." + win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa + state: present + value: UseMachineId + data: 1 + datatype: dword + when: wn19_so_000260 + tags: + - WN19-SO-000260 + - V-93295 + - SRG-OS-000480-GPOS-00227 + - SV-103383r1 + - CCI-000366 + - medium + - patch + +- name: "MEDIUM | WN19-SO-000270 | NTLM must be prevented from falling back to a Null session." + win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0 + state: present + value: allownullsessionfallback + data: 0 + datatype: dword + when: wn19_so_000270 + tags: + - WN19-SO-000270 + - V-93297 + - SRG-OS-000480-GPOS-00227 + - SV-103385r1 + - CCI-000366 + - medium + - patch + +- name: "MEDIUM | WN19-SO-000280 | Must prevent PKU2U authentication using online identities." + win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\pku2u + state: present + value: AllowOnlineID + data: 0 + datatype: dword + when: wn19_so_000280 + tags: + - WN19-SO-000280 + - V-93299 + - SRG-OS-000480-GPOS-00227 + - SV-103387r1 + - CCI-000366 + - medium + - patch + +- name: "MEDIUM | WN19-SO-000290 | Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites." + win_regedit: + path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters + state: present + value: SupportedEncryptionTypes + data: 2147483640 + datatype: dword + when: wn19_so_000290 + tags: + - WN19-SO-000290 + - V-93495 + - SRG-OS-000120-GPOS-00061 + - SV-103581r1 + - CCI-000803 + - medium + - patch + +- name: "MEDIUM | WN19-SO-000320 | Must be configured to at least negotiate signing for LDAP client signing." + win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Services\LDAP + state: present + value: LDAPClientIntegrity + data: 1 + datatype: dword + when: wn19_so_000320 + tags: + - WN19-SO-000320 + - V-93303 + - SRG-OS-000480-GPOS-00227 + - SV-103391r1 + - CCI-000366 + - medium + - patch + - borked_regkey_casesensitive + +- name: "MEDIUM | WN19-SO-000330 | Session security for NTLM SSP-based clients must be configured to require NTLMv2 session security and 128-bit encryption." + win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0 + state: present + value: NTLMMinClientSec + data: 537395200 + datatype: dword + when: wn19_so_000330 + tags: + - WN19-SO-000330 + - V-93305 + - SRG-OS-000480-GPOS-00227 + - SV-103393r1 + - CCI-000366 + - medium + - patch + - borked_regkey_casesensitive + +- name: "MEDIUM | WN19-SO-000340 | Session security for NTLM SSP-based servers must be configured to require NTLMv2 session security and 128-bit encryption." + win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0 + state: present + value: NTLMMinServerSec + data: 537395200 + datatype: dword + when: wn19_so_000340 + tags: + - WN19-SO-000340 + - V-93307 + - SRG-OS-000480-GPOS-00227 + - SV-103395r1 + - CCI-000366 + - medium + - patch + - borked_regkey_casesensitive + +- name: "MEDIUM | WN19-SO-000350 | Users must be required to enter a password to access private keys stored on the computer." + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Cryptography + state: present + value: ForceKeyProtection + data: 2 + datatype: dword + when: wn19_so_000350 + tags: + - WN19-SO-000350 + - V-93493 + - SRG-OS-000067-GPOS-00035 + - SV-103579r1 + - CCI-000186 + - medium + - patch + +- name: "MEDIUM | WN19-SO-000360 | Must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing." + win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager + state: present + value: ProtectionMode + data: 1 + datatype: dword + when: wn19_so_000360 + tags: + - WN19-SO-000360 + - V-93309 + - SRG-OS-000480-GPOS-00227 + - SV-103397r1 + - CCI-000366 + - medium + - patch + +- name: "MEDIUM | WN19-SO-000380 | User Account Control approval mode for the built-in Administrator must be enabled." + win_regedit: + path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System + state: present + value: FilterAdministratorToken + data: 1 + datatype: dword + when: wn19_so_000380 + tags: + - WN19-SO-000380 + - V-93431 + - SRG-OS-000373-GPOS-00157 + - SV-103517r1 + - CCI-002038 + - medium + - patch + # - exclusions for server core? think its NA there + +- name: "MEDIUM | WN19-SO-000390 | UIAccess applications must not be allowed to prompt for elevation without using the secure desktop." + win_regedit: + path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System + state: present + value: EnableUIADesktopToggle + data: 0 + datatype: dword + when: wn19_so_000390 + tags: + - WN19-SO-000390 + - V-93521 + - SRG-OS-000134-GPOS-00068 + - SV-103607r1 + - CCI-001084 + - medium + - patch + +- name: "MEDIUM | WN19-SO-000400 | User Account Control must, at a minimum, prompt administrators for consent on the secure desktop." + win_regedit: + path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System + state: present + value: ConsentPromptBehaviorAdmin + data: 2 + datatype: dword + when: wn19_so_000400 + tags: + - WN19-SO-000400 + - V-93523 + - SRG-OS-000134-GPOS-00068 + - SV-103609r1 + - CCI-001084 + - medium + - patch + +- name: "MEDIUM | WN19-SO-000410 | User Account Control must automatically deny standard user requests for elevation." + win_regedit: + path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System + state: present + value: ConsentPromptBehaviorUser + data: 0 + datatype: dword + when: wn19_so_000410 + tags: + - WN19-SO-000410 + - V-93433 + - SRG-OS-000373-GPOS-00157 + - SV-103519r1 + - CCI-002038 + - medium + - patch + +- name: "MEDIUM | WN19-SO-000420 | User Account Control must be configured to detect application installations and prompt for elevation." + win_regedit: + path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System + state: present + value: EnableInstallerDetection + data: 1 + datatype: dword + when: wn19_so_000420 + tags: + - WN19-SO-000420 + - V-93525 + - SRG-OS-000134-GPOS-00068 + - SV-103611r1 + - CCI-001084 + - medium + - patch + +- name: "MEDIUM | WN19-SO-000430 | User Account Control (UAC) must only elevate UIAccess applications that are installed in secure locations." + win_regedit: + path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System + state: present + value: EnableSecureUIAPaths + data: 1 + datatype: dword + when: wn19_so_000430 + tags: + - WN19-SO-000430 + - V-93527 + - SRG-OS-000134-GPOS-00068 + - SV-103613r1 + - CCI-001084 + - medium + - patch + +- name: "MEDIUM | WN19-SO-000440 | User Account Control must run all administrators in Admin Approval Mode, enabling UAC." + win_regedit: + path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System + state: present + value: EnableLUA + data: 1 + datatype: dword + when: wn19_so_000440 + tags: + - WN19-SO-000440 + - V-93435 + - SRG-OS-000373-GPOS-00157 + - SV-103521r1 + - CCI-002038 + - medium + - patch + +- name: "MEDIUM | WN19-SO-000450 | User Account Control (UAC) must virtualize file and registry write failures to per-user locations." + win_regedit: + path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System + state: present + value: EnableVirtualization + data: 1 + datatype: dword + when: wn19_so_000450 + tags: + - WN19-SO-000450 + - V-93529 + - SRG-OS-000134-GPOS-00068 + - SV-103615r1 + - CCI-001084 + - medium + - patch + +- name: "MEDIUM | WN19-UC-000010 | Must preserve zone information when saving attachments." + win_regedit: + path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments + state: present + value: SaveZoneInformation + data: 2 + datatype: dword + when: wn19_uc_000010 + tags: + - WN19-UC-000010 + - V-93311 + - SRG-OS-000480-GPOS-00227 + - SV-103399r1 + - CCI-000366 + - medium + - patch + +- name: "MEDIUM | WN19-UR-000010 | Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts." + win_security_policy: + section: Privilege Rights + key: SeTrustedCredManAccessPrivilege + value: "" + when: wn19_ur_000010 + tags: + - WN19-UR-000010 + - V-93049 + - SRG-OS-000324-GPOS-00125 + - SV-103137r1 + - CCI-002235 + - medium + - patch + #[WARNING]: Using this module to edit rights and privileges is error-prone, use the win_user_right module instead + +- name: "MEDIUM | WN19-UR-000030 | Allow log on locally user right must only be assigned to the Administrators group." + win_user_right: + name: SeInteractiveLogonRight + users: Administrators + action: set + when: wn19_ur_000030 + tags: + - WN19-UR-000030 + - V-93017 + - SRG-OS-000080-GPOS-00048 + - SV-103105r1 + - CCI-000213 + - medium + - patch + +- name: "MEDIUM | WN19-UR-000040 | The Back up files and directories user right must only be assigned to the Administrators group." + win_user_right: + name: SeBackupPrivilege + users: Administrators + action: set + when: wn19_ur_000040 + tags: + - WN19-UR-000040 + - V-93053 + - SRG-OS-000324-GPOS-00125 + - SV-103141r1 + - CCI-002235 + - medium + - patch + - borked_passes_when_empty + +- name: "MEDIUM | WN19-UR-000050 | Create a pagefile user right must only be assigned to the Administrators group." + win_user_right: + name: SeCreatePagefilePrivilege + users: Administrators + action: set + when: wn19_ur_000050 + tags: + - WN19-UR-000050 + - V-93055 + - SRG-OS-000324-GPOS-00125 + - SV-103143r1 + - CCI-002235 + - medium + - patch + - borked_passes_when_empty + +- name: "MEDIUM | WN19-UR-000060 | Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service." + win_user_right: + name: SeCreateGlobalPrivilege + users: + - Administrators + - Service + - "Local Service" + - Network Service + action: set + when: wn19_ur_000060 + tags: + - WN19-UR-000060 + - V-93059 + - SRG-OS-000324-GPOS-00125 + - SV-103147r1 + - CCI-002235 + - medium + - patch + +- name: "MEDIUM | WN19-UR-000080 | Create permanent shared objects user right must not be assigned to any groups or accounts." + win_security_policy: + section: Privilege Rights + key: SeCreatePermanentPrivilege + value: "" + when: wn19_ur_000080 + tags: + - WN19-UR-000080 + - V-93061 + - SRG-OS-000324-GPOS-00125 + - SV-103149r1 + - CCI-002235 + - medium + - patch + +- name: "MEDIUM | WN19-UR-000090 | Create symbolic links user right must only be assigned to the Administrators group." + win_user_right: + name: SeCreateSymbolicLinkPrivilege + users: Administrators + action: set + when: wn19_ur_000090 + tags: + - WN19-UR-000090 + - V-93063 + - SRG-OS-000324-GPOS-00125 + - SV-103151r1 + - CCI-002235 + - medium + - patch + +- name: "MEDIUM | WN19-UR-000110 | Force shutdown from a remote system user right must only be assigned to the Administrators group." + win_user_right: + name: SeRemoteShutdownPrivilege + users: Administrators + action: set + when: wn19_ur_000110 + tags: + - WN19-UR-000110 + - V-93067 + - SRG-OS-000324-GPOS-00125 + - SV-103155r1 + - CCI-002235 + - medium + - patch + - borked_passes_when_empty + +- name: "MEDIUM | WN19-UR-000120 | Generate security audits user right must only be assigned to Local Service and Network Service." + win_user_right: + name: SeAuditPrivilege + users: + - Local Service + - Network Service + action: set + when: wn19_ur_000120 + tags: + - WN19-UR-000120 + - V-93069 + - SRG-OS-000324-GPOS-00125 + - SV-103157r1 + - CCI-002235 + - medium + - patch + +- name: "MEDIUM | WN19-UR-000130 | Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service." + win_user_right: + name: SeImpersonatePrivilege + users: + - Administrators + - Service + - Local Service + - Network Service + action: set + when: wn19_ur_000130 + tags: + - WN19-UR-000130 + - V-93071 + - SRG-OS-000324-GPOS-00125 + - SV-103159r1 + - CCI-002235 + - medium + - patch + +- name: "MEDIUM | WN19-UR-000140 | Increase scheduling priority: user right must only be assigned to the Administrators group." + win_user_right: + name: SeIncreaseBasePriorityPrivilege + users: Administrators + action: set + when: wn19_ur_000140 + tags: + - WN19-UR-000140 + - V-93073 + - SRG-OS-000324-GPOS-00125 + - SV-103161r1 + - CCI-002235 + - medium + - patch + - borked_passes_when_empty + +- name: "MEDIUM | WN19-UR-000150 | Load and unload device drivers user right must only be assigned to the Administrators group." + win_user_right: + name: SeLoadDriverPrivilege + users: Administrators + action: set + when: wn19_ur_000150 + tags: + - WN19-UR-000150 + - V-93075 + - SRG-OS-000324-GPOS-00125 + - SV-103163r1 + - CCI-002235 + - medium + - patch + - borked_passes_when_empty + +- name: "MEDIUM | WN19-UR-000160 | Lock pages in memory user right must not be assigned to any groups or accounts." + win_security_policy: + section: Privilege Rights + key: SeLockMemoryPrivilege + value: "" + when: wn19_ur_000160 + tags: + - WN19-UR-000160 + - V-93077 + - SRG-OS-000324-GPOS-00125 + - SV-103165r1 + - CCI-002235 + - medium + - patch + +- name: "MEDIUM | WN19-UR-000170 | Manage auditing and security log user right must only be assigned to the Administrators group." + win_user_right: + name: SeSecurityPrivilege + users: Administrators + action: set + when: wn19_ur_000170 + tags: + - WN19-UR-000170 + - V-93197 + - SRG-OS-000057-GPOS-00027 + - SV-103285r1 + - CCI-000162 + - CCI-000163 + - CCI-000164 + - CCI-000171 + - CCI-001914 + - medium + - patch + +- name: "MEDIUM | WN19-UR-000180 | Modify firmware environment values user right must only be assigned to the Administrators group." + win_user_right: + name: SeSystemEnvironmentPrivilege + users: Administrators + action: set + when: wn19_ur_000180 + tags: + - WN19-UR-000180 + - V-93079 + - SRG-OS-000324-GPOS-00125 + - SV-103167r1 + - CCI-002235 + - medium + - patch + +- name: "MEDIUM | WN19-UR-000190 | Perform volume maintenance tasks user right must only be assigned to the Administrators group." + win_user_right: + name: SeManageVolumePrivilege + users: Administrators + action: set + when: wn19_ur_000190 + tags: + - WN19-UR-000190 + - V-93081 + - SRG-OS-000324-GPOS-00125 + - SV-103169r1 + - CCI-002235 + - medium + - patch + +- name: "MEDIUM | WN19-UR-000200 | Profile single process user right must only be assigned to the Administrators group." + win_user_right: + name: SeProfileSingleProcessPrivilege + users: Administrators + action: set + when: wn19_ur_000200 + tags: + - WN19-UR-000200 + - V-93083 + - SRG-OS-000324-GPOS-00125 + - SV-103171r1 + - CCI-002235 + - medium + - patch + +- name: "MEDIUM | WN19-UR-000210 | The Restore files and directories user right must only be assigned to the Administrators group." + win_user_right: + name: SeRestorePrivilege + users: Administrators + action: set + when: wn19_ur_000210 + tags: + - WN19-UR-000210 + - V-93085 + - SRG-OS-000324-GPOS-00125 + - SV-103173r1 + - CCI-002235 + - medium + - patch + +- name: "MEDIUM | WN19-UR-000220 | The Take ownership of files or other objects user right must only be assigned to the Administrators group." + win_user_right: + name: SeTakeOwnershipPrivilege + users: Administrators + action: set + when: wn19_ur_000220 + tags: + - WN19-UR-000220 + - V-93087 + - SRG-OS-000324-GPOS-00125 + - SV-103175r1 + - CCI-002235 + - medium + - patch + diff --git a/tasks/cat3.yml b/tasks/cat3.yml new file mode 100644 index 0000000..f9d5ec2 --- /dev/null +++ b/tasks/cat3.yml @@ -0,0 +1,283 @@ +--- +- name: "LOW | WN19-00-000180 | Non-administrative accounts or groups must only have print permissions on printer shares." + block: + - name: "LOW | WN19-00-000180 | AUDIT | Non-administrative accounts or groups must only have print permissions on printer shares." + win_shell: echo true + register: wn19_00_000180_audit + check_mode: no + changed_when: no + tags: audit + + - name: "LOW | WN19-00-000180 | PATCH | Non-administrative accounts or groups must only have print permissions on printer shares." + win_shell: echo true + changed_when: no + tags: patch + when: + - wn19_00_000180 + - is_implemented + tags: + - WN19-00-000180 + - V-92993 + - SRG-OS-000080-GPOS-00048 + - SV-103081r1 + - CCI-000213 + - low + +- name: "LOW | WN19-00-000440 | The time service must synchronize with an appropriate DoD time source." + block: + - name: "LOW | WN19-00-000440 | AUDIT | The time service must synchronize with an appropriate DoD time source." + win_shell: echo true + register: wn16_00_000450_audit + check_mode: no + changed_when: no + tags: audit + + - name: "LOW | WN19-00-000440 | PATCH | The time service must synchronize with an appropriate DoD time source." + win_shell: echo true + changed_when: no + tags: patch + when: + - wn19_00_000440 + - is_implemented + tags: + - WN19-00-000440 + - V-93187 + - SRG-OS-000355-GPOS-00143 + - SV-103275r1 + - CCI-001891 + - low + +- name: "LOW | WN19-00-000460 | Systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS." + block: + - name: "LOW | WN19-00-000460 | AUDIT | Systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS." + win_shell: echo true + register: wn19_00_000460_audit + check_mode: no + changed_when: no + tags: audit + + - name: "LOW | WN19-00-000460 | PATCH | Systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS." + win_shell: echo true + changed_when: no + tags: patch + when: + - wn19_00_000460 + - is_implemented + tags: + - WN19-00-000460 + - V-93229 + - SRG-OS-000480-GPOS-00227 + - SV-103317r1 + - CCI-000366 + - low + +- name: "LOW | WN19-00-000470 | Must have Secure Boot enabled." + block: + - name: "LOW | WN19-00-000470 | AUDIT | Must have Secure Boot enabled." + win_shell: echo true + register: wn19_00_000470_audit + check_mode: no + changed_when: no + tags: audit + + - name: "LOW | WN19-00-000470 | PATCH | Must have Secure Boot enabled." + win_shell: echo true + changed_when: no + tags: patch + when: + - wn19_00_000470 + - is_implemented + tags: + - WN19-00-000470 + - V-93231 + - SRG-OS-000480-GPOS-00227 + - SV-103319r1 + - CCI-000366 + - low + +- name: "LOW | WN19-CC-000030 | Internet Protocol version 6 (IPv6) source routing must be configured to the highest protection level to prevent IP source routing." + win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters + state: present + value: DisableIPSourceRouting + data: 2 + datatype: dword + when: wn19_cc_000030 + tags: + - WN19-CC-000030 + - V-93233 + - SRG-OS-000480-GPOS-00227 + - SV-103321r1 + - CCI-000366 + - patch + - low + +- name: "LOW | WN19-CC-000040 | Source routing must be configured to the highest protection level to prevent Internet Protocol (IP) source routing." + win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters + state: present + value: DisableIPSourceRouting + data: 2 + datatype: dword + when: wn19_cc_000040 + tags: + - WN19-CC-000040 + - V-93235 + - SRG-OS-000480-GPOS-00227 + - SV-103323r1 + - CCI-000366 + - patch + - low + +- name: "LOW | WN19-CC-000050 | Must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF)-generated routes." + win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters + state: present + value: EnableICMPRedirect + data: 0 + datatype: dword + when: wn19_cc_000050 + tags: + - WN19-CC-000050 + - V-93237 + - SRG-OS-000480-GPOS-00227 + - SV-103325r1 + - CCI-000366 + - patch + - low + +- name: "LOW | WN19-CC-000060 | Must be configured to ignore NetBIOS name release requests except from WINS servers." + win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Services\Netbt\Parameters + state: present + value: NoNameReleaseOnDemand + data: 1 + datatype: dword + when: wn19_cc_000060 + tags: + - WN19-CC-000060 + - V-93541 + - SRG-OS-000420-GPOS-00186 + - SV-103627r1 + - CCI-002385 + - patch + - low + +- name: "MEDIUM | WN19-CC-000070 | Insecure logons to an SMB server must be disabled." + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation + state: present + value: AllowInsecureGuestAuth + data: 0 + datatype: dword + when: wn19_cc_000070 + tags: + - WN19-CC-000070 + - V-93239 + - SRG-OS-000480-GPOS-00227 + - SV-103327r1 + - CCI-000366 + - patch + - low + +- name: "LOW | WN19-CC-000200 | Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft." + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppCompat + state: present + value: DisableInventory + data: 1 + datatype: dword + when: wn19_cc_000200 + tags: + - WN19-CC-000200 + - V-93409 + - SRG-OS-000095-GPOS-00049 + - SV-103495r1 + - CCI-000381 + - patch + - low + +- name: "LOW | WN19-CC-000320 | Turning off File Explorer heap termination on corruption must be disabled." + block: + - name: "LOW | WN19-CC-000320 | AUDIT | Turning off File Explorer heap termination on corruption must be disabled." + win_shell: echo true + register: wn19_cc_000320_audit + check_mode: no + changed_when: no + tags: audit + + - name: "LOW | WN19-CC-000320 | PATCH | Turning off File Explorer heap termination on corruption must be disabled." + win_shell: echo true + changed_when: no + tags: patch + when: + - wn19_cc_000320 + - is_implemented + tags: + - WN19-CC-000320 + - low + +- name: "LOW | WN19-DC-000160 | The directory service must be configured to terminate LDAP-based network connections to the directory server after 5 minutes of inactivity." + block: + - name: "LOW | WN19-DC-000160 | AUDIT | The directory service must be configured to terminate LDAP-based network connections to the directory server after 5 minutes of inactivity." + win_shell: echo true + register: wn19_dc_000160_audit + check_mode: no + changed_when: no + tags: audit + + - name: "LOW | WN19-DC-000160 | PATCH | The directory service must be configured to terminate LDAP-based network connections to the directory server after 5 minutes of inactivity." + win_shell: echo true + changed_when: no + tags: patch + when: + - wn19_dc_000160 + - is_implemented + tags: + - WN19-DC-000160 + - V-93509 + - SRG-OS-000163-GPOS-00072 + - SV-103595r1 + - CCI-001133 + - low + +- name: "LOW | WN19-SO-000140 | The Windows dialog box title for the legal banner must be configured with the appropriate text." + win_regedit: + path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System + state: present + value: LegalNoticeCaption + data: "{{ wn19_so_000140_legalnoticecaption }}" + datatype: string + when: wn19_so_000140 + tags: + - WN19-SO-000140 + - V-93149 + - SRG-OS-000023-GPOS-00006 + - SV-103237r1 + - CCI-000048 + - CCI-001384 + - CCI-001385 + - CCI-001386 + - CCI-001387 + - CCI-001388 + - patch + - low + - borked_regkey_casesensitive + +- name: "LOW | WN19-SO-000370 | Default permissions of global system objects must be strengthened." + win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager + state: present + value: ProtectionMode + data: 1 + datatype: string + when: wn19_so_000370 + tags: + - WN19-SO-000370 + - V-93309 + - SRG-OS-000480-GPOS-00227 + - SV-103397r1 + - CCI-000366 + - patch + - low + diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..64cca1e --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,52 @@ +--- + +- name: Gather distribution info + setup: + gather_subset: distribution,!all,!min + when: + - ansible_distribution is not defined + tags: + - always + +- name: Check OS version and family + assert: + that: + - ansible_os_family == 'Windows' + - ansible_distribution | regex_search('(Microsoft Windows Server 2019)') + success_msg: "{{ ansible_distribution }} {{ ansible_distribution_major_version }} is the detected operating system." + fail_msg: "This role can only be run against Windows Server 2019 Editions. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported." + tags: + - always + +- name: Check ansible version + assert: + that: ansible_version.full is version_compare(win2019stig_min_ansible_version, '>=') + msg: You must use Ansible {{ win2019stig_min_ansible_version }} or greater + tags: + - always + +- name: Include the preliminary tasks + include_tasks: prelim.yml + tags: + - prelim_tasks + +- name: Execute the category 1 (highest severity) tasks + import_tasks: cat1.yml + when: win2019stig_cat1_patch | bool + tags: + - cat1 + - high + +- name: Execute the category 2 (medium severity) tasks + import_tasks: cat2.yml + when: win2019stig_cat2_patch | bool + tags: + - cat2 + - medium + +- name: Execute the category 3 (lowest severity) tasks + import_tasks: cat3.yml + when: win2019stig_cat3_patch | bool + tags: + - cat3 + - medium diff --git a/tasks/prelim.yml b/tasks/prelim.yml new file mode 100644 index 0000000..db35e36 --- /dev/null +++ b/tasks/prelim.yml @@ -0,0 +1,23 @@ +--- +- name: "PRELIM | Detect if Trusted Platform Module (TPM) is available" + win_shell: (Get-CimInstance -ClassName Win32_OperatingSystem).ProductType + register: win2019_tpm_enabled + changed_when: no + failed_when: no + tags: + - always + +# 1 = disabled 0 = enabled +# this reg key may be useful detect is secure conenctions enabled, etc? +- name: "PRELIM | Detect if Remote Desktop Services (RDP) is enabled" + win_reg_stat: + path: HKLM:\System\CurrentControlSet\Control\Terminal Server + name: fDenyTSConnections + register: win2019_rdp_enabled + changed_when: no + failed_when: no + tags: + - always +# remove this debug or set a verb level +- debug: + var: win2019_rdp_enabled.value