Releases · ansible-lockdown/Windows-2022-CIS

CIS Version: 2.0.0
CIS Version Release Benchmark v2.0.0 - 04-14-2023

ADD - 18.9.13 (L2) Ensure 'Turn off cloud optimized content' is set to 'Enabled'

UPDATE - 18.9.89 (L1) 'Allow Windows Ink Workspace' TO 'Enabled: On, but disallow access above lock' OR 'Enabled:

UPDATE - Section changes from Windows 11 Release 22H2 Administrative Templates

UPDATE – 18.10.87 (L1) 'Turn on PowerShell Transcription' is set to 'Disabled' TO 'Enabled'

ADD - 1.2 (L1) Ensure 'Allow Administrator account lockout' is set to 'Enabled'

REMOVE - 2.3.1 (L1) Ensure 'Accounts: Administrator account status' is set to 'Disabled'

ADD - 18.4 (L1) Ensure 'Configure RPC packet level privacy setting for incoming connections' is set to 'Enabled'

MOVE - 18.4 (L1) Ensure 'Limits print driver installation to Administrators' is set to 'Enabled' TO 18.7

ADD - 18.6.4 (L1) Ensure 'Configure NetBIOS settings' is set to 'Enabled: Disable NetBIOS name resolution on public networks'

ADD - 18.7 (L1) Ensure 'Configure Redirection Guard' is set to 'Enabled: Redirection Guard Enabled'

ADD - 18.7 (L1) Ensure 'Configure RPC connection settings: Protocol to use for outgoing RPC connections' is set to 'Enabled: RPC over TCP'

ADD - 18.7 (L1) Ensure 'Configure RPC connection settings: Use authentication for outgoing RPC connections' is set to 'Enabled: Default'

ADD - 18.7 (L1) Ensure 'Configure RPC listener settings: Protocols to allow for incoming RPC connections' is set to 'Enabled: RPC over TCP'

ADD - 18.7 (L1) Ensure 'Configure RPC listener settings: Authentication protocol to use for incoming RPC connections' is set to 'Enabled: Negotiate' or higher

ADD - 18.7 (L1) Ensure 'Manage processing of Queue- specific files' is set to 'Enabled: Limit Queue-specific files to Color profiles'

ADD - 18.9.25 (L1) Ensure 'Allow Custom SSPs and APs to be loaded into LSASS' is set to 'Disabled'
Ticket #17580

ADD - 18.9.25 (NG) Ensure 'Configures LSASS to run as a protected process' is set to 'Enabled: Enabled with UEFI Lock'

ADD - 18.10.17 (L1) Ensure 'Enable App Installer' is set to 'Disabled'

ADD - 18.10.17 (L1) Ensure 'Enable App Installer Experimental Features' is set to 'Disabled'

ADD - 18.10.17 (L1) Ensure 'Enable App Installer Hash Override' is set to 'Disabled'

ADD - 18.10.17 (L1) Ensure 'Enable App Installer ms- appinstaller protocol' is set to 'Disabled'

UPDATE - 18.10.43.6.1 (L1) Ensure 'Configure Attack Surface Reduction rules' with additional ASR rule for "Block abuse of exploited vulnerable signed drivers"

ADD - 18.10.57.3.3 (L2) Ensure 'Do not allow WebAuthn redirection' is set to 'Enabled'

ADD - 18.10.59 (L2) Ensure 'Allow search highlights' is set to 'Disabled'

ADD - 18.10.82 (L1) Ensure 'Enable MPR notifications for the system' is set to 'Disabled'

ADD - 18.7 (L1) Ensure 'Configure RPC over TCP port' is set to 'Enabled: 0'

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Releases: ansible-lockdown/Windows-2022-CIS

Benchmark 2.0.0 Updates

1.0.0