Releases: ansible-lockdown/Windows-2019-CIS
Benchmark 2.0.0 Updates
CIS Version: 2.0.0
CIS Version Release Benchmark v2.0.0 - 04-14-2023
REMOVE - 18.5.4 (L1) Ensure 'Configure DNS over HTTPS (DoH) name resolution' is set to 'Enabled: Allow DoH' or higher
UPDATE - 18.9.89 'Allow Windows Ink Workspace' TO 'Enabled: On, but disallow access above lock' OR 'Enabled: Disabled'
UPDATE - Section changes from Windows 11 Release 22H2 Administrative Templates
UPDATE – 18.10.87 (L1) 'Turn on PowerShell Transcription' is set to 'Disabled' TO 'Enabled'
ADD - 1.2 (L1) Ensure 'Allow Administrator account lockout' is set to 'Enabled'
REMOVE - 2.3.1 (L1) Ensure 'Accounts: Administrator account status' is set to 'Disabled'
ADD - 18.4 (L1) Ensure 'Configure RPC packet level privacy setting for incoming connections' is set to 'Enabled'
MOVE - 18.4 (L1) Ensure 'Limits print driver installation to Administrators' is set to 'Enabled' TO 18.7
ADD - 18.4 (L1) Ensure 'LSA Protection' is set to 'Enabled'
ADD - 18.6.4 (L1) Ensure 'Configure NetBIOS settings' is set to 'Enabled: Disable NetBIOS name resolution on public networks'
ADD - 18.7 (L1) Ensure 'Configure Redirection Guard' is set to 'Enabled: Redirection Guard Enabled'
ADD - 18.7 (L1) Ensure 'Configure RPC connection settings: Protocol to use for outgoing RPC connections' is set to 'Enabled: RPC over TCP'
ADD - 18.7 (L1) Ensure 'Configure RPC connection settings: Use authentication for outgoing RPC connections' is set to 'Enabled: Default'
ADD - 18.7 (L1) Ensure 'Configure RPC listener settings: Protocols to allow for incoming RPC connections' is set to 'Enabled: RPC over TCP'
ADD - 18.7 (L1) Ensure 'Configure RPC listener settings: Authentication protocol to use for incoming RPC connections' is set to 'Enabled: Negotiate' or higher
ADD - 18.7 (L1) Ensure 'Manage processing of Queue- specific files' is set to 'Enabled: Limit Queue-specific files to Color profiles'
ADD - 18.10.17 (L1) Ensure 'Enable App Installer' is set to 'Disabled'
ADD - 18.10.17 (L1) Ensure 'Enable App Installer Experimental Features' is set to 'Disabled'
ADD - 18.10.17 (L1) Ensure 'Enable App Installer Hash Override' is set to 'Disabled'
ADD - 18.10.17 (L1) Ensure 'Enable App Installer ms- appinstaller protocol' is set to 'Disabled'
UPDATE - 18.10.43.6.1 (L1) Ensure 'Configure Attack Surface Reduction rules' with additional ASR rule for "Block abuse of exploited vulnerable signed drivers"
ADD - 18.10.59 (L2) Ensure 'Allow search highlights' is set to 'Disabled'
ADD - 18.7 (L1) Ensure 'Configure RPC over TCP port' is set to 'Enabled: 0'
Benchmark 1.3.0 Updates
CIS Version: 1.3.0
CIS Version Release Date: 3-18-2022
Enhancements
- Issues Closed
- Benchmarks 1.2.1 - 1.2.3 Put In Correct Order To Take Into Account System Defaults.
- Benchmark 1.1.7 - Added
- Benchmark 2.2.37 - Added Variable To Choose If Exchange Server Installed.
- Benchmark 2.3.6.5 - Added Variable
- Benchmark 2.3.7.3 - Added Variable
- Benchmark 2.3.7.6 - Added Variable
- Benchmark 2.3.7.7 - Added Variable
- Benchmark 18.4.9 - Added Variable
- Benchmark 18.4.12 - Added Variable
- Benchmark 18.8.3.1 - Old setting was set to disabled, new benchmark calls for enabled. Updated registry value.
- Benchmark 18.9.12.1 - Calls For Disabled, Updated and Changed Registry Entry To Disable.
- Benchmark 18.9.17.2 - Calls For Enabled, Updated and Changed Registry Entry To Enable.
- Benchmark 18.9.27.1.2 - Added Variable
- Benchmark 18.9.27.2.2 - Added Variable
- Benchmark 18.9.27.3.2 - Added Variable
- Benchmark 18.9.27.4.2 - Added Variable
- Benchmark 18.9.64.1 - Added
- Benchmark 18.9.65.3.10.1 - Added Variable
- Benchmark 18.9.65.3.10.2 - Updated the registry entry time to 1 Min per CIS.
- Benchmark 19.3.3 - Added Variable
- Benchmark 19.1.3.4 - Removed Not A Valid Control
What's Changed
- Win 2019 CIS v1.3.0 release by @MrSteve81 in #66
- Yamllint Update, Yamllint Check, Ansible-lint Check, Module Names Update, Banner Fix, Bug #67 by @MrSteve81 in #68
- April pipeline fixes, Workflow files, Added Cloud Support For Tasks 1.2.1 - 3 by @MrSteve81 in #71
- Update Changelog by @MrSteve81 in #73
- April pipeline fixes for offer variable by @MrSteve81 in #74
- Win Skip For Test Name Update, Set system facts based on gather facts module default vars by @MrSteve81 in #76
- Templates Update, Cloud Control Fixed, When Statement Fixes, Workflow by @MrSteve81 in #78
- Updated Changelog For Version Release, Whitespaces, Meta Data, Readme Update by @MrSteve81 in #79
- Update To CIS 1.3 by @MrSteve81 in #81
- Update Changelog by @MrSteve81 in #84
- Workflow update by @MrSteve81 in #83
New Contributors
- @MrSteve81 made their first contribution in #66
Full Changelog: 1.2.0...1.3.0
Contributors
Assets 2
Benchmark 1.3.0
Issue Fixes and Control Additions
CIS Version: 1.1.0 01-14-2020
Issue Fixes:
#37 - 18.9.59.3.11.1 - Updated level tags
#38 - 18.1.2.2 - Implemented control
#39 - 18.3.1 - Implemented control
#40 - 2.3.1.5/2.3.1.6 - Created variables for values
#41 - 2.2.47 - Updated value
#42 - 2.2.18 - Added logic for Hyper-V role not being installed
Enhancements:
Fixed linting issues to work with Galaxy
Implemented 18.1.3
Implemented 18.2.1
Implemented 18.2.2
Implemented 18.2.3
Implemented 18.2.4
Implemented 18.2.5
Implemented 18.2.6
Implemented 18.3.2
Implemented 18.3.5
Issue Fixes
CIS Version: 1.1.0 01-14-2020
Issues Addressed:
#14 - 18.3.4 - Bad data value
#15 - 18.3.6 - Bad data value
#16 - 18.5.21.1 - Bad data value
#17 - 18.9.77.13.3.1 - Bad regkey name
#18 - 18.9.95.1 - Bad data value
#19 - 18.9.95.2 - Bad data value
#21 - 18.9.26.3.1 - Bad regkey path
#23 - 18.9.26.1.1 - Bad data type
#24 - 19.7.4.1 - Bad data value
#25 - 2.3.6.4 - Bad data value
#26 - 2.3.11.4 - Bad data value
#27 - 17.5.1 - Bad shell command (fixed success:enable to failure:enable)
#28 - 9.1.4/9.2.4/9.3.4 - Bad data value
Minor fixes and adjustments
Initial Release
CIS Version: 1.1.0 01-14-2020