diff --git a/ChangeLog.md b/ChangeLog.md index aa3fcfc..1d55c7a 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -2,17 +2,28 @@ ## Release 2.0.1 +December 2024 Updates +- Updated 1.1.2 When logic +- Issues Addressed: + - [#51](https://github.com/ansible-lockdown/Windows-2022-CIS/issues/51) - Thank you @msachikanta + - [#50](https://github.com/ansible-lockdown/Windows-2022-CIS/issues/50) - Thank you @msachikanta + - [#48](https://github.com/ansible-lockdown/Windows-2022-CIS/issues/48) - Thanks @animatco + - [#45](https://github.com/ansible-lockdown/Windows-2022-CIS/issues/45) - Thanks @Crombell95 + - [#32](https://github.com/ansible-lockdown/Windows-2022-CIS/issues/32) - Thanks @RomainPisters (Verified It has been addressed.) +- PR's Addressed: + - [#53](https://github.com/ansible-lockdown/Windows-2022-CIS/pull/53/files) - Thanks @tgoetheyn + April 2024 Update -Thank you @RomainPisters - - Fix from Issue #32 +- Issues Addressed: + - [#32](https://github.com/ansible-lockdown/Windows-2022-CIS/issues/32) - Thank you @RomainPisters March 2024 Update -Thank you @MrSteve81 for the enhancements to this release! - - Improved 19.x section logic for Windows local user SIDs and HKU support. - - Reboot handler and logic Improvement with skip_reboot var feature. - - win_skip_for_test var update with additional description and supported controls of 2.2.20, 2.2.25, and 2.2.26. - - Mislabeled control fix for win22cis_rule_18_9_7_2 - - Improved logic for win22cis_cloud_based_system 1.2.x controls. +- Thank you @MrSteve81 for the enhancements to this release! + - Improved 19.x section logic for Windows local user SIDs and HKU support. + - Reboot handler and logic Improvement with skip_reboot var feature. + - win_skip_for_test var update with additional description and supported controls of 2.2.20, 2.2.25, and 2.2.26. + - Mislabeled control fix for win22cis_rule_18_9_7_2 + - Improved logic for win22cis_cloud_based_system 1.2.x controls. February 2024 Update - Issues Addressed: diff --git a/defaults/main.yml b/defaults/main.yml index 435440b..498a11f 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -325,7 +325,7 @@ win22cis_rule_18_6_9_1: true win22cis_rule_18_6_9_2: true win22cis_rule_18_6_10_2: true win22cis_rule_18_6_11_2: true -win22cis_rule_18_5_11_3: true +win22cis_rule_18_6_11_3: true win22cis_rule_18_6_11_4: true win22cis_rule_18_6_14_1: true win22cis_rule_18_6_19_2_1: true @@ -389,7 +389,7 @@ win22cis_rule_18_9_27_7: true win22cis_rule_18_9_30_1: true win22cis_rule_18_9_30_2: true win22cis_rule_18_9_32_6_1: true -win22cis_rule_18_3_32_6_2: true +win22cis_rule_18_9_32_6_2: true win22cis_rule_18_9_32_6_3: true win22cis_rule_18_9_32_6_4: true win22cis_rule_18_9_34_1: true @@ -467,6 +467,7 @@ win22cis_rule_18_10_57_3_3_3: true win22cis_rule_18_10_57_3_3_4: true win22cis_rule_18_10_57_3_3_5: true win22cis_rule_18_10_57_3_3_6: true +win22cis_rule_18_10_57_3_3_7: true win22cis_rule_18_10_57_3_9_1: true win22cis_rule_18_10_57_3_9_2: true win22cis_rule_18_10_57_3_9_3: true diff --git a/tasks/section01.yml b/tasks/section01.yml index 4e6a0bc..9224764 100644 --- a/tasks/section01.yml +++ b/tasks/section01.yml @@ -36,14 +36,26 @@ - name: "1.1.2 | PATCH | Ensure Maximum password age is set to 365 or fewer days but not 0" block: + - name: "1.1.2 | PATCH | Ensure Maximum password age is set to 365 or fewer days but not 0. | Set Variable." + community.windows.win_security_policy: + section: System Access + key: MaximumPasswordAge + value: "{{ win22cis_maximum_password_age }}" + when: + - win22cis_maximum_password_age <= 365 + - win22cis_maximum_password_age > 0 + - win22cis_maximum_password_age > win22cis_minimum_password_age + - name: "1.1.2 | AUDIT | Ensure Maximum password age is set to 365 or fewer days but not 0. | Warning check for maximum password age time." ansible.builtin.debug: msg: - "Warning!! You have an invalid age set for win22cis_maximum_password_age please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." + - "Also verify your win22cis_maximum_password_age is more then the win22cis_minimum_password_age" when: - win22cis_maximum_password_age > 365 or win22cis_maximum_password_age == 0 + - win22cis_maximum_password_age < win22cis_minimum_password_age - name: "1.1.2 | AUDIT | Ensure Maximum password age is set to 365 or fewer days but not 0. | Set warning count." ansible.builtin.import_tasks: @@ -53,15 +65,7 @@ when: - win22cis_maximum_password_age > 365 or win22cis_maximum_password_age == 0 - - - name: "1.1.2 | PATCH | Ensure Maximum password age is set to 365 or fewer days but not 0. | Set Variable." - community.windows.win_security_policy: - section: System Access - key: MaximumPasswordAge - value: "{{ win22cis_maximum_password_age }}" - when: - - win22cis_maximum_password_age <= 365 - - win22cis_maximum_password_age > 0 + - win22cis_maximum_password_age < win22cis_minimum_password_age when: - win22cis_rule_1_1_2 tags: @@ -73,14 +77,26 @@ - name: "1.1.3 | PATCH | Ensure Minimum password age is set to 1 or more days" block: + - name: "1.1.3 | PATCH | Ensure Minimum password age is set to 1 or more days. | Set Variable." + community.windows.win_security_policy: + section: System Access + key: MinimumPasswordAge + value: "{{ win22cis_minimum_password_age }}" + when: + - win22cis_minimum_password_age <= 364 or + win22cis_minimum_password_age > 0 + - win22cis_minimum_password_age < win22cis_maximum_password_age + - name: "1.1.3 | AUDIT | Ensure Minimum password age is set to 1 or more days. | Warning check for minimum password age." ansible.builtin.debug: msg: - "Warning!! You have an invalid age set for win22cis_maximum_password_age please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." + - "Also verify your win22cis_minimum_password_age is less then the win22cis_maximum_password_age" when: - - win22cis_maximum_password_age > 999 or - win22cis_maximum_password_age == 0 + - win22cis_minimum_password_age > 364 or + win22cis_minimum_password_age == 0 + - win22cis_minimum_password_age > win22cis_maximum_password_age - name: "1.1.3 | AUDIT | Ensure Minimum password age is set to 1 or more days. | Set warning count." ansible.builtin.import_tasks: @@ -88,17 +104,9 @@ vars: warn_control_id: '1.1.3' when: - - win22cis_maximum_password_age > 999 or - win22cis_maximum_password_age == 0 - - - name: "1.1.3 | PATCH | Ensure Minimum password age is set to 1 or more days. | Set Variable." - community.windows.win_security_policy: - section: System Access - key: MinimumPasswordAge - value: "{{ win22cis_minimum_password_age }}" - when: - - win22cis_maximum_password_age <= 999 or - win22cis_maximum_password_age > 0 + - win22cis_minimum_password_age > 364 or + win22cis_minimum_password_age == 0 + - win22cis_minimum_password_age > win22cis_maximum_password_age when: - win22cis_rule_1_1_3 tags: @@ -108,6 +116,23 @@ - patch - password +# If the "RelaxMinimumPasswordLengthLimits" is not set prior to the "MinimumPasswordLength" +# an error occurs if the password is set beyond 14 characters. +- name: "1.1.6 | PATCH | Ensure Relax minimum password length limits is set to Enabled." + ansible.windows.win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Control\SAM + name: RelaxMinimumPasswordLengthLimits + data: 1 + type: dword + when: + - win22cis_rule_1_1_6 + - prelim_win22cis_is_domain_member + tags: + - level1-memberserver + - rule_1.1.6 + - patch + - password + - name: "1.1.4 | PATCH | Ensure Minimum password length is set to 14 or more characters" block: - name: "1.1.4 | AUDIT | Ensure Minimum password length is set to 14 or more characters | Warning Check For Variable Standards." @@ -155,7 +180,7 @@ - name: "1.1.6 | PATCH | Ensure Relax minimum password length limits is set to Enabled." ansible.windows.win_regedit: - path: HKLM:\System\CurrentControlSet\Control\SAM + path: HKLM:\SYSTEM\CurrentControlSet\Control\SAM name: RelaxMinimumPasswordLengthLimits data: 1 type: dword diff --git a/tasks/section02.yml b/tasks/section02.yml index 23e4f63..d7e1534 100644 --- a/tasks/section02.yml +++ b/tasks/section02.yml @@ -769,7 +769,7 @@ - name: "2.3.1.1 | PATCH | Ensure Accounts Block Microsoft accounts is set to Users can not add or log on with Microsoft accounts" ansible.windows.win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + path: HKLM:\SOFTWARE\Microsoft\Windows\Currentversion\Policies\System name: NoConnectedUser data: 3 type: dword @@ -798,7 +798,7 @@ - name: "2.3.1.3 | PATCH | Ensure Accounts Limit local account use of blank passwords to console logon only is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa + path: HKLM:\SYSTEM\Currentcontrolset\Control\Lsa name: LimitBlankPasswordUse data: 1 type: dword @@ -876,7 +876,7 @@ - name: "2.3.2.1 | PATCH | Ensure Audit Force audit policy subcategory settings Windows Vista or later to override audit policy category settings is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\System\CurrentControlSet\Control\Lsa + path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa name: SCENoApplyLegacyAuditPolicy data: 1 type: dword @@ -891,7 +891,7 @@ - name: "2.3.2.2 | PATCH | Ensure Audit Shut down system immediately if unable to log security audits is set to Disabled" ansible.windows.win_regedit: - path: HKLM:\System\CurrentControlSet\Control\Lsa + path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa name: CrashOnAuditFail data: 0 type: dword @@ -906,7 +906,7 @@ - name: "2.3.4.1 | PATCH | Ensure Devices Allowed to format and eject removable media is set to Administrators" ansible.windows.win_regedit: - path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon + path: HKLM:\SOFTWARE\Microsoft\Windows Nt\Currentversion\Winlogon name: AllocateDASD data: 0 type: string @@ -921,7 +921,7 @@ - name: "2.3.4.2 | PATCH | Ensure Devices Prevent users from installing printer drivers is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Print\Providers\Lanman Print Services\Servers + path: HKLM:\SYSTEM\Currentcontrolset\Control\Print\Providers\Lanman Print Services\Servers name: AddPrinterDrivers data: 1 type: dword @@ -936,7 +936,7 @@ - name: "2.3.5.1 | PATCH | Ensure Domain controller Allow server operators to schedule tasks is set to Disabled DC only | Domain Controller" ansible.windows.win_regedit: - path: HKLM:\System\CurrentControlSet\Control\Lsa + path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa name: SubmitControl data: 0 type: dword @@ -951,7 +951,7 @@ - name: "2.3.5.2 | PATCH | Ensure Domain controller Allow vulnerable Netlogon secure channel connections is set to Not Configured DC only | Domain Controller" ansible.windows.win_regedit: - path: HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters + path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters name: VulnerableChannelAllowList data: 0 type: dword @@ -966,7 +966,7 @@ - name: "2.3.5.3 | PATCH | Ensure Domain controller LDAP server channel binding token requirements' is set to Always DC only | Domain Controller" ansible.windows.win_regedit: - path: HKLM:\System\CurrentControlSet\Services\NTDS\Parameters + path: HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters name: LdapEnforceChannelBinding data: 2 type: dword @@ -981,7 +981,7 @@ - name: "2.3.5.4 | PATCH | Ensure Domain controller LDAP server signing requirements is set to Require signing DC only | Domain Controller" ansible.windows.win_regedit: - path: HKLM:\System\CurrentControlSet\Services\NTDS\Parameters + path: HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters name: LDAPServerIntegrity data: 2 type: dword @@ -996,7 +996,7 @@ - name: "2.3.5.5 | PATCH | Ensure Domain controller Refuse machine account password changes is set to Disabled DC only | Domain Controller" ansible.windows.win_regedit: - path: HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters + path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters name: RefusePasswordChange data: 0 type: dword @@ -1011,7 +1011,7 @@ - name: "2.3.6.1 | PATCH | Ensure Domain member Digitally encrypt or sign secure channel data always is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters + path: HKLM:\SYSTEM\Currentcontrolset\Services\Netlogon\Parameters name: RequireSignOrSeal data: 1 type: dword @@ -1028,7 +1028,7 @@ - name: "2.3.6.2 | PATCH | Ensure Domain member Digitally encrypt secure channel data when possible is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters + path: HKLM:\SYSTEM\Currentcontrolset\Services\Netlogon\Parameters name: SealSecureChannel data: 1 type: dword @@ -1045,7 +1045,7 @@ - name: "2.3.6.3 | PATCH | Ensure Domain member Digitally sign secure channel data when possible is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters + path: HKLM:\SYSTEM\Currentcontrolset\Services\Netlogon\Parameters name: SignSecureChannel data: 1 type: dword @@ -1061,7 +1061,7 @@ - name: "2.3.6.4 | PATCH | Ensure Domain member Disable machine account password changes is set to Disabled" ansible.windows.win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters + path: HKLM:\SYSTEM\Currentcontrolset\Services\Netlogon\Parameters name: DisablePasswordChange data: 0 type: dword @@ -1097,7 +1097,7 @@ - name: "2.3.6.5 | PATCH | Ensure Domain member Maximum machine account password age is set to 30 or fewer days but not 0. | Apply Settings To Registry." ansible.windows.win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters + path: HKLM:\SYSTEM\Currentcontrolset\Services\Netlogon\Parameters name: MaximumPasswordAge data: "{{ win22cis_domain_member_maximum_password_age }}" type: dword @@ -1116,7 +1116,7 @@ - name: "2.3.6.6 | PATCH | Ensure Domain member Require strong Windows 2000 or later session key is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters + path: HKLM:\SYSTEM\Currentcontrolset\Services\Netlogon\Parameters name: RequireStrongKey data: 1 type: dword @@ -1132,7 +1132,7 @@ - name: "2.3.7.1 | PATCH | Ensure Interactive logon Do not require CTRL+ALT+DEL is set to Disabled" ansible.windows.win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + path: HKLM:\SOFTWARE\Microsoft\Windows\Currentversion\Policies\System name: DisableCAD data: 0 type: dword @@ -1147,7 +1147,7 @@ - name: "2.3.7.2 | PATCH | Ensure Interactive logon Do not display last signed-in is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + path: HKLM:\SOFTWARE\Microsoft\Windows\Currentversion\Policies\System name: DontDisplayLastUserName data: 1 type: dword @@ -1182,7 +1182,7 @@ - name: "2.3.7.3 | PATCH | Ensure Interactive logon Machine inactivity limit is set to 900 or fewer seconds but not 0. | Apply Settings To Registry." ansible.windows.win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + path: HKLM:\SOFTWARE\Microsoft\Windows\Currentversion\Policies\System name: InactivityTimeoutSecs data: "{{ win22cis_inactivity_timeout_seconds }}" type: dword @@ -1200,7 +1200,7 @@ - name: "2.3.7.4 | PATCH | Configure Interactive logon Message text for users attempting to log on" ansible.windows.win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + path: HKLM:\SOFTWARE\Microsoft\Windows\Currentversion\Policies\System name: LegalNoticeText data: "{{ win22cis_legal_notice }}" type: string @@ -1215,7 +1215,7 @@ - name: "2.3.7.5 | PATCH | Configure Interactive logon Message title for users attempting to log on" ansible.windows.win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + path: HKLM:\SOFTWARE\Microsoft\Windows\Currentversion\Policies\System name: LegalNoticeCaption data: "{{ win22cis_legal_notice_caption }}" type: string @@ -1246,7 +1246,7 @@ - name: "2.3.7.6 | PATCH | Ensure Interactive logon Number of previous logons to cache in case domain controller is not available is set to 4 or fewer logons MS only. | Apply Settings To Registry | Member Server" ansible.windows.win_regedit: - path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon + path: HKLM:\SOFTWARE\Microsoft\Windows Nt\Currentversion\Winlogon name: CachedLogonsCount data: "{{ win22cis_cached_logons_count }}" type: string @@ -1282,7 +1282,7 @@ - name: "2.3.7.7 | PATCH | Ensure Interactive logon Prompt user to change password before expiration is set to between 5 and 14 days. | Apply Settings To Registry." ansible.windows.win_regedit: - path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon + path: HKLM:\SOFTWARE\Microsoft\Windows Nt\Currentversion\Winlogon name: PasswordExpiryWarning data: "{{ win22cis_password_expiry_warning_days }}" type: dword @@ -1300,7 +1300,7 @@ - name: "2.3.7.8 | PATCH | Ensure Interactive logon Require Domain Controller Authentication to unlock workstation is set to Enabled MS only | Member Server" ansible.windows.win_regedit: - path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon + path: HKLM:\SOFTWARE\Microsoft\Windows Nt\Currentversion\Winlogon name: ForceUnlockLogon data: 1 type: dword @@ -1315,7 +1315,7 @@ - name: "2.3.7.9 | PATCH | Ensure Interactive logon Smart card removal behavior is set to Lock Workstation or higher" ansible.windows.win_regedit: - path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon + path: HKLM:\SOFTWARE\Microsoft\Windows Nt\Currentversion\Winlogon name: ScRemoveOption data: 1 type: string @@ -1330,7 +1330,7 @@ - name: "2.3.8.1 | PATCH | Ensure Microsoft network client Digitally sign communications always is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Lanmanworkstation\Parameters + path: HKLM:\SYSTEM\Currentcontrolset\Services\Lanmanworkstation\Parameters name: RequireSecuritySignature data: 1 type: dword @@ -1345,7 +1345,7 @@ - name: "2.3.8.2 | PATCH | Ensure Microsoft network client Digitally sign communications if server agrees is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Lanmanworkstation\Parameters + path: HKLM:\SYSTEM\Currentcontrolset\Services\Lanmanworkstation\Parameters name: EnableSecuritySignature data: 1 type: dword @@ -1360,7 +1360,7 @@ - name: "2.3.8.3 | PATCH | Ensure Microsoft network client Send unencrypted password to third-party SMB servers is set to Disabled" ansible.windows.win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Lanmanworkstation\Parameters + path: HKLM:\SYSTEM\Currentcontrolset\Services\Lanmanworkstation\Parameters name: EnablePlainTextPassword data: 0 type: dword @@ -1391,7 +1391,7 @@ - name: "2.3.9.1 | PATCH | Ensure Microsoft network server Amount of idle time required before suspending session is set to 15 or fewer minutes. | Apply Settings To Registry." ansible.windows.win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters + path: HKLM:\SYSTEM\Currentcontrolset\Services\Lanmanserver\Parameters name: AutoDisconnect data: "{{ win22cis_smb_auto_disconnect_time }}" type: dword @@ -1407,7 +1407,7 @@ - name: "2.3.9.2 | PATCH | Ensure Microsoft network server Digitally sign communications always is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters + path: HKLM:\SYSTEM\Currentcontrolset\Services\Lanmanserver\Parameters name: RequireSecuritySignature data: 1 type: dword @@ -1422,7 +1422,7 @@ - name: "2.3.9.3 | PATCH | Ensure Microsoft network server Digitally sign communications if client agrees is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters + path: HKLM:\SYSTEM\Currentcontrolset\Services\Lanmanserver\Parameters name: EnableSecuritySignature data: 1 type: dword @@ -1437,7 +1437,7 @@ - name: "2.3.9.4 | PATCH | Ensure Microsoft network server Disconnect clients when logon hours expire is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters + path: HKLM:\SYSTEM\Currentcontrolset\Services\Lanmanserver\Parameters name: EnableForcedLogoff data: 1 type: dword @@ -1452,7 +1452,7 @@ - name: "2.3.9.5 | PATCH | Ensure Microsoft network server Server SPN target name validation level is set to Accept if provided by client or higher | Member Server" ansible.windows.win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters + path: HKLM:\SYSTEM\Currentcontrolset\Services\Lanmanserver\Parameters name: SMBServerNameHardeningLevel data: 1 type: dword @@ -1482,7 +1482,7 @@ - name: "2.3.10.2 | PATCH | Ensure Network access Do not allow anonymous enumeration of SAM accounts is set to Enabled MS only | Member Server" ansible.windows.win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa + path: HKLM:\SYSTEM\Currentcontrolset\Control\Lsa name: RestrictAnonymousSAM data: 1 type: dword @@ -1497,7 +1497,7 @@ - name: "2.3.10.3 | PATCH | Ensure Network access Do not allow anonymous enumeration of SAM accounts and shares is set to Enabled MS only | Member Server" ansible.windows.win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa + path: HKLM:\SYSTEM\Currentcontrolset\Control\Lsa name: RestrictAnonymous data: 1 type: dword @@ -1512,7 +1512,7 @@ - name: "2.3.10.4 | PATCH | Ensure Network access Do not allow storage of passwords and credentials for network authentication is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa + path: HKLM:\SYSTEM\Currentcontrolset\Control\Lsa name: DisableDomainCreds data: 1 type: dword @@ -1527,7 +1527,7 @@ - name: "2.3.10.5 | PATCH | Ensure Network access Let Everyone permissions apply to anonymous users is set to Disabled" ansible.windows.win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa + path: HKLM:\SYSTEM\Currentcontrolset\Control\Lsa name: EveryoneIncludesAnonymous data: 0 type: dword @@ -1542,7 +1542,7 @@ - name: "2.3.10.6 | PATCH | Configure Network access Named Pipes that can be accessed anonymously DC only | Domain Controller" ansible.windows.win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters + path: HKLM:\SYSTEM\Currentcontrolset\Services\Lanmanserver\Parameters name: NullSessionPipes data: "" type: multistring @@ -1557,7 +1557,7 @@ - name: "2.3.10.7 | PATCH | Configure Network access Named Pipes that can be accessed anonymously MS only | Member Server" ansible.windows.win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters + path: HKLM:\SYSTEM\Currentcontrolset\Services\Lanmanserver\Parameters name: NullSessionPipes data: "" type: multistring @@ -1572,9 +1572,9 @@ - name: "2.3.10.8 | PATCH | Configure Network access Remotely accessible registry paths" ansible.windows.win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Securepipeservers\Winreg\AllowedExactpaths + path: HKLM:\SYSTEM\Currentcontrolset\Control\Securepipeservers\Winreg\AllowedExactpaths name: "Machine" - data: ['System\CurrentControlSet\Control\ProductOptions', 'System\CurrentControlSet\Control\Server Applications', 'Software\Microsoft\Windows NT\CurrentVersion'] + data: ['SYSTEM\CurrentControlSet\Control\ProductOptions', 'SYSTEM\CurrentControlSet\Control\Server Applications', 'SOFTWARE\Microsoft\Windows NT\CurrentVersion'] type: multistring when: - win22cis_rule_2_3_10_8 @@ -1585,11 +1585,49 @@ - patch - name: "2.3.10.9 | PATCH | Configure Network access Remotely accessible registry paths and sub-paths" - ansible.windows.win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Securepipeservers\Winreg\Allowedpaths - name: "Machine" - data: ['System\CurrentControlSet\Control\Print\Printers', 'System\CurrentControlSet\Services\Eventlog', 'Software\Microsoft\OLAP Server', 'Software\Microsoft\Windows NT\CurrentVersion\Print', 'Software\Microsoft\Windows NT\CurrentVersion\Windows', 'System\CurrentControlSet\Control\ContentIndex', 'System\CurrentControlSet\Control\Terminal Server', 'System\CurrentControlSet\Control\Terminal Server\UserConfig', 'System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration', 'Software\Microsoft\Windows NT\CurrentVersion\Perflib', 'System\CurrentControlSet\Services\WINS', 'System\CurrentControlSet\Services\CertSvc', 'System\CurrentControlSet\Services\SysmonLog'] - type: multistring + block: + - name: "2.3.10.9 | PATCH | Configure Network access Remotely accessible registry paths and sub-paths | Set Fact" + ansible.builtin.set_fact: + rule_2_3_10_9_remote_registry_paths: [ + 'SYSTEM\CurrentControlSet\Control\Print\Printers', + 'SYSTEM\CurrentControlSet\Services\Eventlog', + 'SOFTWARE\Microsoft\OLAP Server', + 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print', + 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows', + 'SYSTEM\CurrentControlSet\Control\ContentIndex', + 'SYSTEM\CurrentControlSet\Control\Terminal Server', + 'SYSTEM\CurrentControlSet\Control\Terminal Server\UserConfig', + 'SYSTEM\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration', + 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib', + 'SYSTEM\CurrentControlSet\Services\SysmonLog' + ] + + - name: "2.3.10.9 | AUDIT | Configure Network access Remotely accessible registry paths and sub-paths | Check if AD Certificate Services feature is installed." + community.windows.win_feature_info: + name: AD-Certificate + register: rule_2_3_10_9_adcs_feature + + - name: 2.3.10.9 | PATCH | Configure Network access Remotely accessible registry paths and sub-paths | Add CertSvc to paths." + ansible.builtin.set_fact: + rule_2_3_10_9_remote_registry_paths: "{{ remote_registry_paths + ['SYSTEM\\CurrentControlSet\\Services\\CertSvc'] }}" + when: rule_2_3_10_9_adcs_feature.features[0].installed + + - name: 2.3.10.9 | AUDIT | Configure Network access Remotely accessible registry paths and sub-paths | Check if WINS feature is installed." + community.windows.win_feature_info: + name: WINS + register: rule_2_3_10_9_wins_feature + + - name: 2.3.10.9 | PATCH | Configure Network access Remotely accessible registry paths and sub-paths | Add WINS to paths." + ansible.builtin.set_fact: + rule_2_3_10_9_remote_registry_paths: "{{ remote_registry_paths + ['SYSTEM\\CurrentControlSet\\Services\\WINS'] }}" + when: rule_2_3_10_9_wins_feature.features[0].installed + + - name: "2.3.10.9 | PATCH | Configure Network access Remotely accessible registry paths and sub-paths | Apply " + ansible.windows.win_regedit: + path: HKLM:\SYSTEM\Currentcontrolset\Control\Securepipeservers\Winreg\Allowedpaths + name: "Machine" + data: '{{ rule_2_3_10_9_remote_registry_paths }}' + type: multistring when: - win22cis_rule_2_3_10_9 tags: @@ -1600,7 +1638,7 @@ - name: "2.3.10.10 | PATCH | Ensure Network access Restrict anonymous access to Named Pipes and Shares is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters + path: HKLM:\SYSTEM\Currentcontrolset\Services\Lanmanserver\Parameters name: RestrictNullSessAccess data: 1 type: dword @@ -1615,7 +1653,7 @@ - name: "2.3.10.11 | PATCH | Ensure Network access Restrict clients allowed to make remote calls to SAM is set to Administrators Remote Access Allow MS only | Member Server" ansible.windows.win_regedit: - path: HKLM:\System\CurrentControlSet\Control\Lsa + path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa name: RestrictRemoteSAM data: "O:BAG:BAD:(A;;RC;;;BA)" type: string @@ -1630,7 +1668,7 @@ - name: "2.3.10.12 | PATCH | Ensure Network access Shares that can be accessed anonymously is set to None" ansible.windows.win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters + path: HKLM:\SYSTEM\Currentcontrolset\Services\Lanmanserver\Parameters name: NullSessionShares data: "" type: multistring @@ -1645,7 +1683,7 @@ - name: "2.3.10.13 | PATCH | Ensure Network access Sharing and security model for local accounts is set to Classic - local users authenticate as themselves" ansible.windows.win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa + path: HKLM:\SYSTEM\Currentcontrolset\Control\Lsa name: ForceGuest data: 0 type: dword @@ -1660,7 +1698,7 @@ - name: "2.3.11.1 | PATCH | Ensure Network security Allow Local System to use computer identity for NTLM is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa + path: HKLM:\SYSTEM\Currentcontrolset\Control\Lsa name: UseMachineId data: 1 type: dword @@ -1675,7 +1713,7 @@ - name: "2.3.11.2 | PATCH | Ensure Network security Allow LocalSystem NULL session fallback is set to Disabled" ansible.windows.win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa\Msv1_0 + path: HKLM:\SYSTEM\Currentcontrolset\Control\Lsa\Msv1_0 name: AllowNullSessionFallback data: 0 type: dword @@ -1690,7 +1728,7 @@ - name: "2.3.11.3 | PATCH | Ensure Network Security Allow PKU2U authentication requests to this computer to use online identities is set to Disabled" ansible.windows.win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa\Pku2U + path: HKLM:\SYSTEM\Currentcontrolset\Control\Lsa\Pku2U name: AllowOnlineID data: 0 type: dword @@ -1705,7 +1743,7 @@ - name: "2.3.11.4 | PATCH | Ensure Network security Configure encryption types allowed for Kerberos is set to AES128 HMAC SHA1 AES256 HMAC SHA1 Future encryption types" ansible.windows.win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System\Kerberos\Parameters + path: HKLM:\SOFTWARE\Microsoft\Windows\Currentversion\Policies\System\Kerberos\Parameters name: SupportedEncryptionTypes data: 2147483640 type: dword @@ -1720,7 +1758,7 @@ - name: "2.3.11.5 | PATCH | Ensure Network security Do not store LAN Manager hash value on next password change is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa + path: HKLM:\SYSTEM\Currentcontrolset\Control\Lsa name: NoLMHash data: 1 type: dword @@ -1735,7 +1773,7 @@ - name: "2.3.11.6 | PATCH | Ensure Network security Force logoff when logon hours expire is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters + path: HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters name: EnableForcedLogOff data: 1 type: dword @@ -1750,7 +1788,7 @@ - name: "2.3.11.7 | PATCH | Ensure Network security LAN Manager authentication level is set to Send NTLMv2 response only. Refuse LM NTLM" ansible.windows.win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa + path: HKLM:\SYSTEM\Currentcontrolset\Control\Lsa name: LMCompatibilityLevel data: 5 type: dword @@ -1765,7 +1803,7 @@ - name: "2.3.11.8 | PATCH | Ensure Network security LDAP client signing requirements is set to Negotiate signing or higher" ansible.windows.win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Ldap + path: HKLM:\SYSTEM\Currentcontrolset\Services\Ldap name: LDAPClientIntegrity data: 1 type: dword @@ -1780,7 +1818,7 @@ - name: "2.3.11.9 | PATCH | Ensure Network security Minimum session security for NTLM SSP based including secure RPC clients is set to Require NTLMv2 session security Require 128-bit encryption" ansible.windows.win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa\Msv1_0 + path: HKLM:\SYSTEM\Currentcontrolset\Control\Lsa\Msv1_0 name: NTLMMinClientSec data: 537395200 type: dword @@ -1795,7 +1833,7 @@ - name: "2.3.11.10 | PATCH | Ensure Network security Minimum session security for NTLM SSP based including secure RPC servers is set to Require NTLMv2 session security Require 128-bit encryption" ansible.windows.win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa\Msv1_0 + path: HKLM:\SYSTEM\Currentcontrolset\Control\Lsa\Msv1_0 name: NTLMMinServerSec data: 537395200 type: dword @@ -1810,7 +1848,7 @@ - name: "2.3.13.1 | PATCH | Ensure Shutdown Allow system to be shut down without having to log on is set to Disabled" ansible.windows.win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + path: HKLM:\SOFTWARE\Microsoft\Windows\Currentversion\Policies\System name: ShutdownWithoutLogon data: 0 type: dword @@ -1826,7 +1864,7 @@ - name: "2.3.15.1 | PATCH | Ensure System objects Require case insensitivity for non-Windows subsystems is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Session Manager\Kernel + path: HKLM:\SYSTEM\Currentcontrolset\Control\Session Manager\Kernel name: ObCaseInsensitive data: 1 type: dword @@ -1840,7 +1878,7 @@ - name: "2.3.15.2 | PATCH | Ensure System objects Strengthen default permissions of internal system objects e.g. Symbolic Links is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Session Manager + path: HKLM:\SYSTEM\Currentcontrolset\Control\Session Manager name: ProtectionMode data: 1 type: dword @@ -1854,7 +1892,7 @@ - name: "2.3.17.1 | PATCH | Ensure User Account Control Admin Approval Mode for the Built-in Administrator account is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + path: HKLM:\SOFTWARE\Microsoft\Windows\Currentversion\Policies\System name: FilterAdministratorToken data: 1 type: dword @@ -1869,7 +1907,7 @@ - name: "2.3.17.2 | PATCH | Ensure User Account Control Behavior of the elevation prompt for administrators in Admin Approval Mode is set to Prompt for consent on the secure desktop" ansible.windows.win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + path: HKLM:\SOFTWARE\Microsoft\Windows\Currentversion\Policies\System name: ConsentPromptBehaviorAdmin data: 2 type: dword @@ -1884,7 +1922,7 @@ - name: "2.3.17.3 | PATCH | Ensure User Account Control Behavior of the elevation prompt for standard users is set to Automatically deny elevation requests" ansible.windows.win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + path: HKLM:\SOFTWARE\Microsoft\Windows\Currentversion\Policies\System name: ConsentPromptBehaviorUser data: 0 type: dword @@ -1899,7 +1937,7 @@ - name: "2.3.17.4 | PATCH | Ensure User Account Control Detect application installations and prompt for elevation is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + path: HKLM:\SOFTWARE\Microsoft\Windows\Currentversion\Policies\System name: EnableInstallerDetection data: 1 type: dword @@ -1914,7 +1952,7 @@ - name: "2.3.17.5 | PATCH | Ensure User Account Control Only elevate UIAccess applications that are installed in secure locations is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + path: HKLM:\SOFTWARE\Microsoft\Windows\Currentversion\Policies\System name: EnableSecureUIAPaths data: 1 type: dword @@ -1929,7 +1967,7 @@ - name: "2.3.17.6 | PATCH | Ensure User Account Control Run all administrators in Admin Approval Mode is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + path: HKLM:\SOFTWARE\Microsoft\Windows\Currentversion\Policies\System name: EnableLUA data: 1 type: dword @@ -1944,7 +1982,7 @@ - name: "2.3.17.7 | PATCH | Ensure User Account Control Switch to the secure desktop when prompting for elevation is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + path: HKLM:\SOFTWARE\Microsoft\Windows\Currentversion\Policies\System name: PromptOnSecureDesktop data: 1 type: dword @@ -1959,7 +1997,7 @@ - name: "2.3.17.8 | PATCH | Ensure User Account Control Virtualize file and registry write failures to per-user locations is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + path: HKLM:\SOFTWARE\Microsoft\Windows\Currentversion\Policies\System name: EnableVirtualization data: 1 type: dword diff --git a/tasks/section09.yml b/tasks/section09.yml index 34e9ecd..254564d 100644 --- a/tasks/section09.yml +++ b/tasks/section09.yml @@ -2,7 +2,7 @@ - name: "9.1.1 | PATCH | Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windowsfirewall\Domainprofile + path: HKLM:\SOFTWARE\Policies\Microsoft\Windowsfirewall\Domainprofile name: EnableFirewall data: 1 type: dword diff --git a/tasks/section18.yml b/tasks/section18.yml index 82cc641..4408d59 100644 --- a/tasks/section18.yml +++ b/tasks/section18.yml @@ -2,7 +2,7 @@ - name: "18.1.1.1 | PATCH | Ensure Prevent enabling lock screen camera is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Personalization + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Personalization name: NoLockScreenCamera data: 1 type: dword @@ -17,7 +17,7 @@ - name: "18.1.1.2 | PATCH | Ensure Prevent enabling lock screen slide show is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Personalization + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Personalization name: NoLockScreenSlideshow data: 1 type: dword @@ -32,7 +32,7 @@ - name: "18.1.2.2 | PATCH | Ensure Allow users to enable online speech recognition services is set to Disabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\InputPersonalization + path: HKLM:\SOFTWARE\Policies\Microsoft\InputPersonalization name: "AllowInputPersonalization" data: "0" type: dword @@ -188,7 +188,7 @@ - name: "18.4.1 | PATCH | Ensure Apply UAC restrictions to local accounts on network logons is set to Enabled MS only | Member Server" ansible.windows.win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + path: HKLM:\SOFTWARE\Microsoft\Windows\Currentversion\Policies\SYSTEM name: LocalAccountTokenFilterPolicy data: 0 type: dword @@ -299,7 +299,7 @@ - name: "18.5.1 | PATCH | Ensure MSS AutoAdminLogon Enable Automatic Logon not recommended is set to Disabled" ansible.windows.win_regedit: - path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon + path: HKLM:\SOFTWARE\Microsoft\Windows Nt\Currentversion\Winlogon state: present name: AutoAdminLogon data: 0 @@ -384,7 +384,7 @@ - name: "18.5.6 | PATCH | Ensure MSS NoNameReleaseOnDemand Allow the computer to ignore NetBIOS name release requests except from WINS servers is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Netbt\Parameters + path: HKLM:\SYSTEM\Currentcontrolset\Services\Netbt\Parameters state: present name: NoNameReleaseOnDemand data: 1 @@ -401,7 +401,7 @@ - name: "18.5.7 | PATCH | Ensure MSS PerformRouterDiscovery Allow IRDP to detect and configure Default Gateway addresses could lead to DoS is set to Disabled" ansible.windows.win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Tcpip\Parameters + path: HKLM:\SYSTEM\Currentcontrolset\Services\Tcpip\Parameters state: present name: PerformRouterDiscovery data: 0 @@ -417,7 +417,7 @@ - name: "18.5.8 | PATCH | Ensure MSS SafeDllSearchMode Enable Safe DLL search mode recommended is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Session Manager + path: HKLM:\SYSTEM\Currentcontrolset\Control\Session Manager name: SafeDllSearchMode data: 1 type: dword @@ -449,7 +449,7 @@ - name: "18.5.9 | PATCH | Ensure MSS ScreenSaverGracePeriod The time in seconds before the screen saver grace period expires 0 recommended is set to Enabled 5 or fewer seconds | Set Variable." ansible.windows.win_regedit: - path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon + path: HKLM:\SOFTWARE\Microsoft\Windows Nt\Currentversion\Winlogon name: ScreenSaverGracePeriod data: "{{ win22cis_screen_saver_grace_period }}" type: string @@ -466,7 +466,7 @@ - name: "18.5.10 | PATCH | Ensure MSS TcpMaxDataRetransmissions IPv6 How many times unacknowledged data is retransmitted is set to Enabled 3" ansible.windows.win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Tcpip6\Parameters + path: HKLM:\SYSTEM\Currentcontrolset\Services\Tcpip6\Parameters name: TcpMaxDataRetransmissions data: 3 type: dword @@ -481,7 +481,7 @@ - name: "18.5.11 | PATCH | Ensure MSS TcpMaxDataRetransmissions How many times unacknowledged data is retransmitted is set to Enabled 3" ansible.windows.win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Tcpip\Parameters + path: HKLM:\SYSTEM\Currentcontrolset\Services\Tcpip\Parameters name: TcpMaxDataRetransmissions data: 3 type: dword @@ -512,7 +512,7 @@ - name: "18.5.12 | PATCH | Ensure MSS WarningLevel Percentage threshold for the security event log at which the system will generate a warning is set to Enabled 90 or less | Set Variable." ansible.windows.win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Eventlog\Security + path: HKLM:\SYSTEM\Currentcontrolset\Services\Eventlog\Security name: WarningLevel data: "{{ win22cis_log_threshold_audit_event }}" type: dword @@ -600,7 +600,7 @@ - name: "18.6.4.3 | PATCH | Ensure Turn off multicast name resolution is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient name: EnableMulticast data: 0 type: dword @@ -630,7 +630,7 @@ - name: "18.6.8.1 | PATCH | Ensure Enable insecure guest logons is set to Disabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Lanmanworkstation + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Lanmanworkstation name: AllowInsecureGuestAuth data: 0 type: dword @@ -647,28 +647,28 @@ block: - name: "18.6.9.1 | PATCH | Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | AllowLLTDIOOndomain" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Lltd + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Lltd name: AllowLLTDIOOndomain data: 0 type: dword - name: "18.6.9.1 | PATCH | Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | AllowLLTDIOOnPublicNet" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Lltd + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Lltd name: AllowLLTDIOOnPublicNet data: 0 type: dword - name: "18.6.9.1 | PATCH | Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | EnableLLTDIO" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Lltd + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Lltd name: EnableLLTDIO data: 0 type: dword - name: "18.6.9.1 | PATCH | Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | ProhibitLLTDIOOnPrivateNet" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Lltd + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Lltd name: ProhibitLLTDIOOnPrivateNet data: 0 type: dword @@ -686,28 +686,28 @@ block: - name: "18.6.9.2 | PATCH | Ensure Turn on Responder RSPNDR driver is set to Disabled | AllowRspndrOnDomain" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Lltd + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Lltd name: AllowRspndrOnDomain data: 0 type: dword - name: "18.6.9.2 | PATCH | Ensure Turn on Responder RSPNDR driver is set to Disabled | AllowRspndrOnPublicNet" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Lltd + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Lltd name: AllowRspndrOnPublicNet data: 0 type: dword - name: "18.6.9.2 | PATCH | Ensure Turn on Responder RSPNDR driver is set to Disabled | EnableRspndr" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Lltd + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Lltd name: EnableRspndr data: 0 type: dword - name: "18.6.9.2 | PATCH | Ensure Turn on Responder RSPNDR driver is set to Disabled | ProhibitRspndrOnPrivateNet" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Lltd + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Lltd name: ProhibitRspndrOnPrivateNet data: 0 type: dword @@ -723,7 +723,7 @@ - name: "18.6.10.2 | PATCH | Ensure Turn off Microsoft Peer-to-Peer Networking Services is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Peernet + path: HKLM:\SOFTWARE\Policies\Microsoft\Peernet name: Disabled data: 1 type: dword @@ -738,7 +738,7 @@ - name: "18.6.11.2 | PATCH | Ensure Prohibit installation and configuration of Network Bridge on your DNS domain network is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Network Connections + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Network Connections name: NC_AllowNetBridge_NLA data: 0 type: dword @@ -758,7 +758,7 @@ data: 0 type: dword when: - - win22cis_rule_18_5_11_3 + - win22cis_rule_18_6_11_3 tags: - level1-domaincontroller - level1-memberserver @@ -768,7 +768,7 @@ - name: "18.6.11.4 | PATCH | Ensure Require domain users to elevate when setting a networks location is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Network Connections + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Network Connections name: NC_StdDomainUserSetLocation data: 1 type: dword @@ -785,14 +785,14 @@ block: - name: "18.6.14.1 | PATCH | Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all NETLOGON shares" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Networkprovider\Hardenedpaths + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Networkprovider\Hardenedpaths name: "\\\\*\\NETLOGON" data: "RequireMutualAuthentication=1, RequireIntegrity=1" type: string - name: "18.6.14.1 | PATCH | Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all SYSVOL shares" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Networkprovider\Hardenedpaths + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Networkprovider\Hardenedpaths name: "\\\\*\\SYSVOL" data: "RequireMutualAuthentication=1, RequireIntegrity=1" type: string @@ -808,7 +808,7 @@ - name: "18.6.19.2.1 | PATCH | Disable IPv6 Ensure TCPIP6 Parameter DisabledComponents is set to 0xff 255" ansible.windows.win_regedit: - path: HKLM:\System\CurrentControlSet\Services\TCPIP6\Parameters + path: HKLM:\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters name: DisabledComponents data: 255 type: dword @@ -825,35 +825,35 @@ block: - name: "18.6.20.1 | PATCH | Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | EnableRegistrars" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Wcn\Registrars name: EnableRegistrars data: 0 type: dword - name: "18.6.20.1 | PATCH | Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableUPnPRegistrar" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Wcn\Registrars name: DisableUPnPRegistrar data: 0 type: dword - name: "18.6.20.1 | PATCH | Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableInBand802DOT11Registrar" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Wcn\Registrars name: DisableInBand802DOT11Registrar data: 0 type: dword - name: "18.6.20.1 | PATCH | Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableFlashConfigRegistrar" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Wcn\Registrars name: DisableFlashConfigRegistrar data: 0 type: dword - name: "18.6.20.1 | PATCH | Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableWPDRegistrar" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Wcn\Registrars name: DisableWPDRegistrar data: 0 type: dword @@ -868,7 +868,7 @@ - name: "18.6.20.2 | PATCH | Ensure Prohibit access of the Windows Connect Now wizards is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Ui + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Wcn\Ui name: DisableWcnUi data: 1 type: dword @@ -883,7 +883,7 @@ - name: "18.6.21.1 | PATCH | Ensure Minimize the number of simultaneous connections to the Internet or a Windows Domain is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Wcmsvc\Grouppolicy + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Wcmsvc\Grouppolicy name: fMinimizeConnections data: 3 type: dword @@ -898,7 +898,7 @@ - name: "18.6.21.2 | PATCH | Ensure Prohibit connection to non-domain networks when connected to domain authenticated network is set to Enabled MS only | Member Server" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Wcmsvc\Grouppolicy + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Wcmsvc\Grouppolicy name: fBlockNonDomain data: 1 type: dword @@ -913,7 +913,7 @@ - name: "18.7.1 | PATCH | Ensure Allow Print Spooler to accept client connections is set to Disabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows NT\Printers + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers name: RegisterSpoolerRemoteRpcEndPoint data: 2 type: dword @@ -928,7 +928,7 @@ - name: "18.7.2 | PATCH | Ensure Configure Redirection Guard is set to Enabled Redirection Guard Enabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows NT\Printers + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers name: RedirectionguardPolicy data: 1 type: dword @@ -943,7 +943,7 @@ - name: "18.7.3 | PATCH | Ensure Configure RPC connection settings Protocol to use for outgoing RPC connections is set to Enabled RPC over TCP" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows NT\Printers\RPC + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\RPC name: RpcUseNamedPipeProtocol data: 0 type: dword @@ -958,7 +958,7 @@ - name: "18.7.4 | PATCH | Ensure Configure RPC connection settings Use authentication for outgoing RPC connections is set to Enabled: Default" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows NT\Printers\RPC + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\RPC name: RpcAuthentication data: 0 type: dword @@ -973,7 +973,7 @@ - name: "18.7.5 | PATCH | Ensure Configure RPC connection settings Use authentication for outgoing RPC connections is set to Enabled: Default" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows NT\Printers\RPC + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\RPC name: RpcProtocols data: 5 type: dword @@ -1008,7 +1008,7 @@ - name: "18.7.6 | PATCH | Ensure 'Configure RPC listener settings: Authentication protocol to use for incoming RPC connections:' is set to 'Enabled: Negotiate' or higher. | Set Variable." ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows NT\Printers\RPC + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\RPC name: ForceKerberosForRpc data: "{{ win22cis_force_kerberos_for_rpc }}" type: dword @@ -1025,7 +1025,7 @@ - name: "18.7.7 | PATCH | Ensure Configure RPC over TCP port is set to Enabled: 0" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows NT\Printers\RPC + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\RPC name: RpcTcpPort data: 0 type: dword @@ -1072,7 +1072,7 @@ - name: "18.7.10 | PATCH | Ensure Point and Print Restrictions When installing drivers for a new connection is set to Enabled Show warning and elevation prompt" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint name: NoWarningNoElevationOnInstall data: 0 type: dword @@ -1087,7 +1087,7 @@ - name: "18.7.11 | PATCH | Ensure Point and Print Restrictions: When updating drivers for an existing connection is set to Enabled: Show warning and elevation prompt" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint name: UpdatePromptSettings data: 0 type: dword @@ -1117,7 +1117,7 @@ - name: "18.9.3.1 | PATCH | Ensure Include command line in process creation events is set to Enabled." ansible.windows.win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System\Audit + path: HKLM:\SOFTWARE\Microsoft\Windows\Currentversion\Policies\System\Audit name: ProcessCreationIncludeCmdLine_Enabled data: 1 type: dword @@ -1281,7 +1281,7 @@ - name: "18.9.13.1 | PATCH | Ensure Boot-Start Driver Initialization Policy is set to Enabled Good unknown and bad but critical" ansible.windows.win_regedit: - path: HKLM:\System\Currentcontrolset\Policies\Earlylaunch + path: HKLM:\SYSTEM\Currentcontrolset\Policies\Earlylaunch name: DriverLoadPolicy data: 3 type: dword @@ -1296,7 +1296,7 @@ - name: "18.9.19.2 | PATCH | Ensure Configure registry policy processing Do not apply during periodic background processing is set to Enabled FALSE" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378Eac-683F-11D2-A89A-00C04Fbbcfa2} + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378Eac-683F-11D2-A89A-00C04Fbbcfa2} name: NoBackgroundPolicy data: 0 type: dword @@ -1311,7 +1311,7 @@ - name: "18.9.19.3 | PATCH | Ensure Configure registry policy processing Process even if the Group Policy objects have not changed is set to Enabled TRUE" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378Eac-683F-11D2-A89A-00C04Fbbcfa2} + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378Eac-683F-11D2-A89A-00C04Fbbcfa2} name: NoGPOListChanges data: 0 type: dword @@ -1340,7 +1340,7 @@ - name: "18.9.19.5 | PATCH | Ensure Turn off background refresh of Group Policy is set to Disabled" ansible.windows.win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System\DisableBkGndGroupPolicy + path: HKLM:\SOFTWARE\Microsoft\Windows\Currentversion\Policies\System\DisableBkGndGroupPolicy name: DisableBkGndGroupPolicy data: 1 type: dword @@ -1355,7 +1355,7 @@ - name: "18.9.20.1.1 | PATCH | Ensure Turn off downloading of print drivers over HTTP is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Printers + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Nt\Printers name: DisableWebPnPDownload data: 1 type: dword @@ -1371,7 +1371,7 @@ - name: "18.9.20.1.2 | PATCH | Ensure Turn off handwriting personalization data sharing is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Tabletpc + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Tabletpc name: PreventHandwritingDataSharing data: 1 type: dword @@ -1386,7 +1386,7 @@ - name: "18.9.20.1.3 | PATCH | Ensure Turn off handwriting recognition error reporting is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Handwritingerrorreports + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Handwritingerrorreports name: PreventHandwritingErrorReports data: 1 type: dword @@ -1401,7 +1401,7 @@ - name: "18.9.20.1.4 | PATCH | Ensure Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Internet Connection Wizard + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard name: ExitOnMSICW data: 1 type: dword @@ -1417,7 +1417,7 @@ - name: "18.9.20.1.5 | PATCH | Ensure Turn off Internet download for Web publishing and online ordering wizards is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer + path: HKLM:\SOFTWARE\Microsoft\Windows\Currentversion\Policies\Explorer name: NoWebServices data: 1 type: dword @@ -1433,7 +1433,7 @@ - name: "18.9.20.1.6 | PATCH | Ensure Turn off printing over HTTP is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Printers + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Nt\Printers name: DisableHTTPPrinting data: 1 type: dword @@ -1448,7 +1448,7 @@ - name: "18.9.20.1.7 | PATCH | Ensure Turn off Registration if URL connection is referring to Microsoft.com is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Registration Wizard Control + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Registration Wizard Control name: NoRegistration data: 1 type: dword @@ -1464,7 +1464,7 @@ - name: "18.9.20.1.8 | PATCH | Ensure Turn off Search Companion content file updates is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Searchcompanion + path: HKLM:\SOFTWARE\Policies\Microsoft\Searchcompanion name: DisableContentFileUpdates data: 1 type: dword @@ -1479,7 +1479,7 @@ - name: "18.9.20.1.9 | PATCH | Ensure Turn off the Order Prints picture task is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer + path: HKLM:\SOFTWARE\Microsoft\Windows\Currentversion\Policies\Explorer name: NoOnlinePrintsWizard data: 1 type: dword @@ -1494,7 +1494,7 @@ - name: "18.9.20.1.10 | PATCH | Ensure Turn off the Publish to Web task for files and folders is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer + path: HKLM:\SOFTWARE\Microsoft\Windows\Currentversion\Policies\Explorer name: NoPublishingWizard data: 1 type: dword @@ -1509,7 +1509,7 @@ - name: "18.9.20.1.11 | PATCH | Ensure Turn off the Windows Messenger Customer Experience Improvement Program is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Messenger\Client + path: HKLM:\SOFTWARE\Policies\Microsoft\Messenger\Client name: CEIP data: 2 type: dword @@ -1524,7 +1524,7 @@ - name: "18.9.20.1.12 | PATCH | Ensure Turn off Windows Customer Experience Improvement Program is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Sqmclient\Windows + path: HKLM:\SOFTWARE\Policies\Microsoft\Sqmclient\Windows name: CEIPEnable data: 0 type: dword @@ -1541,7 +1541,7 @@ block: - name: "18.9.20.1.13 | PATCH | Ensure Turn off Windows Error Reporting is set to Enabled | Windows Error Reporting" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Windows Error Reporting + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting name: Disabled data: 1 type: dword @@ -1565,14 +1565,14 @@ block: - name: "18.9.23.1 | PATCH | Ensure Support device authentication using certificate is set to Enabled Automatic | DevicePKInitBehavior" ansible.windows.win_regedit: - path: HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters + path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters name: DevicePKInitBehavior data: 0 type: dword - name: "18.9.23.1 | PATCH | Ensure Support device authentication using certificate is set to Enabled Automatic | DevicePKInitEnabled" ansible.windows.win_regedit: - path: HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters + path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters name: DevicePKInitEnabled data: 1 type: dword @@ -1587,7 +1587,7 @@ - name: "18.9.24.1 | PATCH | Ensure Enumeration policy for external devices incompatible with Kernel DMA Protection is set to Enabled Block All" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Kernel DMA Protection + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Kernel DMA Protection name: DeviceEnumerationPolicy data: 0 type: dword @@ -1632,7 +1632,7 @@ - name: "18.9.26.1 | PATCH | Ensure Disallow copying of user input methods to the system account for sign-in is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Control Panel\International + path: HKLM:\SOFTWARE\Policies\Microsoft\Control Panel\International name: BlockUserInputMethodsForSignIn data: 1 type: dword @@ -1644,9 +1644,9 @@ - rule_18.9.26.1 - patch -- name: "18.9.17.1 | PATCH | Ensure Block user from showing account details on sign-in is set to Enabled" +- name: "18.9.27.1 | PATCH | Ensure Block user from showing account details on sign-in is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\System + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System name: BlockUserFromShowingAccountDetailsOnSignin data: 1 type: dword @@ -1661,7 +1661,7 @@ - name: "18.9.27.2 | PATCH | Ensure Do not display network selection UI is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\System + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System name: DontDisplayNetworkSelectionUI data: 1 type: dword @@ -1675,7 +1675,7 @@ - name: "18.9.27.3 | PATCH | Ensure Do not enumerate connected users on domain-joined computers is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\System + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System name: DontEnumerateConnectedUsers data: 1 type: dword @@ -1690,7 +1690,7 @@ - name: "18.9.27.4 | PATCH | Ensure Enumerate local users on domain-joined computers is set to Disabled MS only | Member Server" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\System + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System name: EnumerateLocalUsers data: 0 type: dword @@ -1705,7 +1705,7 @@ - name: "18.9.27.5 | PATCH | Ensure Turn off app notifications on the lock screen is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\System + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System name: DisableLockScreenAppNotifications data: 1 type: dword @@ -1720,7 +1720,7 @@ - name: "18.9.27.6 | PATCH | Ensure Turn off picture password sign-in is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\System + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System name: BlockDomainPicturePassword data: 1 type: dword @@ -1735,7 +1735,7 @@ - name: "18.9.27.7 | PATCH | Ensure Turn on convenience PIN sign-in is set to Disabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\System + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System name: AllowDomainPINLogon data: 0 type: dword @@ -1750,7 +1750,7 @@ - name: "18.9.30.1 | PATCH | Ensure Allow Clipboard synchronization across devices is set to Disabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\System + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System name: AllowCrossDeviceClipboard data: 0 type: dword @@ -1765,7 +1765,7 @@ - name: "18.9.30.2 | PATCH | Ensure Allow upload of User Activities is set to Disabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\System + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System name: UploadUserActivities data: 0 type: dword @@ -1799,7 +1799,7 @@ data: 0 type: dword when: - - win22cis_rule_18_3_32_6_2 + - win22cis_rule_18_9_32_6_2 tags: - level2-domaincontroller - level2-memberserver @@ -1840,7 +1840,7 @@ - name: "18.9.34.1 | PATCH | Ensure Configure Offer Remote Assistance is set to Disabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Nt\Terminal Services name: fAllowUnsolicited data: 0 type: dword @@ -1855,7 +1855,7 @@ - name: "18.9.34.2 | PATCH | Ensure Configure Solicited Remote Assistance is set to Disabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Nt\Terminal Services name: fAllowToGetHelp data: 0 type: dword @@ -1870,7 +1870,7 @@ - name: "18.9.35.1 | PATCH | Ensure Enable RPC Endpoint Mapper Client Authentication is set to Enabled MS only | Member Server" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Rpc + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Nt\Rpc name: EnableAuthEpResolution data: 1 type: dword @@ -1885,7 +1885,7 @@ - name: "18.9.35.2 | PATCH | Ensure Restrict Unauthenticated RPC clients is set to Enabled Authenticated MS only | Member Server" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Rpc + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Nt\Rpc name: RestrictRemoteClients data: 1 type: dword @@ -1915,7 +1915,7 @@ - name: "18.9.46.5.1 | PATCH | Ensure Microsoft Support Diagnostic Tool Turn on MSDT interactive communication with support provider is set to Disabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Scripteddiagnosticsprovider\Policy + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Scripteddiagnosticsprovider\Policy name: DisableQueryRemoteServer data: 0 type: dword @@ -1930,7 +1930,7 @@ - name: "18.9.46.11.1 | PATCH | Ensure EnableDisable PerfTrack is set to Disabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Wdi\{9C5A40Da-B965-4Fc3-8781-88Dd50A6299D} + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Wdi\{9C5A40Da-B965-4Fc3-8781-88Dd50A6299D} name: ScenarioExecutionEnabled data: 0 type: dword @@ -1945,7 +1945,7 @@ - name: "18.9.48.1 | PATCH | Ensure Turn off the advertising ID is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Advertisinginfo + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Advertisinginfo name: DisabledByGroupPolicy data: 1 type: dword @@ -1960,7 +1960,7 @@ - name: "18.9.50.1.1 | PATCH | Ensure Enable Windows NTP Client is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\W32Time\Timeproviders\Ntpclient + path: HKLM:\SOFTWARE\Policies\Microsoft\W32Time\Timeproviders\Ntpclient name: Enabled data: 1 type: dword @@ -1975,7 +1975,7 @@ - name: "18.9.50.1.2 | PATCH | Ensure Enable Windows NTP Server is set to Disabled MS only | Member Server" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\W32Time\Timeproviders\Ntpserver + path: HKLM:\SOFTWARE\Policies\Microsoft\W32Time\Timeproviders\Ntpserver name: Enabled data: 0 type: dword @@ -1990,7 +1990,7 @@ - name: "18.10.3.1 | PATCH | Ensure Allow a Windows app to share application data between users is set to Disabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Currentversion\Appmodel\Statemanager + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Currentversion\Appmodel\Statemanager name: AllowSharedLocalAppData data: 0 type: dword @@ -2005,7 +2005,7 @@ - name: "18.10.5.1 | PATCH | Ensure Allow Microsoft accounts to be optional is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + path: HKLM:\SOFTWARE\Microsoft\Windows\Currentversion\Policies\System name: MSAOptional data: 1 type: dword @@ -2020,7 +2020,7 @@ - name: "18.10.7.1 | PATCH | Ensure Disallow Autoplay for non-volume devices is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Explorer + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer name: NoAutoplayfornonVolume data: 1 type: dword @@ -2035,7 +2035,7 @@ - name: "18.10.7.2 | PATCH | Ensure Set the default behavior for AutoRun is set to Enabled Do not execute any autorun commands" ansible.windows.win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer + path: HKLM:\SOFTWARE\Microsoft\Windows\Currentversion\Policies\Explorer name: NoAutorun data: 1 type: dword @@ -2050,7 +2050,7 @@ - name: "18.10.7.3 | PATCH | Ensure Turn off Autoplay is set to Enabled All drives" ansible.windows.win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer + path: HKLM:\SOFTWARE\Microsoft\Windows\Currentversion\Policies\Explorer name: NoDriveTypeAutoRun data: 255 type: dword @@ -2065,7 +2065,7 @@ - name: "18.10.8.1.1 | PATCH | Ensure Configure enhanced anti-spoofing is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Biometrics\Facialfeatures + path: HKLM:\SOFTWARE\Policies\Microsoft\Biometrics\Facialfeatures name: EnhancedAntiSpoofing data: 1 type: dword @@ -2125,7 +2125,7 @@ - name: "18.10.12.3 | PATCH | Ensure Turn off Microsoft consumer experiences is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Cloudcontent + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Cloudcontent name: DisableWindowsConsumerFeatures data: 1 type: dword @@ -2177,7 +2177,7 @@ - name: "18.10.14.1 | PATCH | Ensure Do not display the password reveal button is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Credui + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Credui name: DisablePasswordReveal data: 1 type: dword @@ -2192,7 +2192,7 @@ - name: "18.10.14.2 | PATCH | Ensure Enumerate administrator accounts on elevation is set to Disabled" ansible.windows.win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Credui + path: HKLM:\SOFTWARE\Microsoft\Windows\Currentversion\Policies\Credui name: EnumerateAdministrators data: 0 type: dword @@ -2244,7 +2244,7 @@ - name: "18.10.15.2 | PATCH | Ensure Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service is set to Enabled Disable Authenticated Proxy usage" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\DataCollection + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection name: DisableEnterpriseAuthProxy data: 1 type: dword @@ -2274,7 +2274,7 @@ - name: "18.10.15.4 | PATCH | Ensure Do not show feedback notifications is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Datacollection + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Datacollection name: DoNotShowFeedbackNotifications data: 1 type: dword @@ -2334,7 +2334,7 @@ - name: "18.10.15.8 | PATCH | Ensure Toggle user control over Insider builds is set to Disabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Previewbuilds + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Previewbuilds name: AllowBuildPreview data: 0 type: dword @@ -2349,7 +2349,7 @@ - name: "18.10.17.1 | PATCH | Ensure Enable App Installer is set to Disabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\AppInstaller + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppInstaller name: EnableAppInstaller data: 0 type: dword @@ -2364,7 +2364,7 @@ - name: "18.10.17.2 | PATCH | Ensure Enable App Installer Experimental Features is set to Disabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\AppInstaller + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppInstaller name: EnableExperimentalFeatures data: 0 type: dword @@ -2379,7 +2379,7 @@ - name: "18.10.17.3 | PATCH | Ensure Enable App Installer Hash Override is set to Disabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\AppInstaller + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppInstaller name: EnableHashOverride data: 0 type: dword @@ -2394,7 +2394,7 @@ - name: "18.10.17.4 | PATCH | Ensure Enable App Installer ms-appinstaller protocol is set to Disabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\AppInstaller + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppInstaller name: EnableMSAppInstallerProtocol data: 0 type: dword @@ -2409,7 +2409,7 @@ - name: "18.10.26.1.1 | PATCH | Ensure Application Control Event Log behavior when the log file reaches its maximum size is set to Disabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application name: Retention data: 0 type: string @@ -2440,7 +2440,7 @@ - name: "18.10.26.1.2 | PATCH | Ensure Application Specify the maximum log file size KB is set to Enabled 32768 or greater | Set File Size." ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Application + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Eventlog\Application name: MaxSize data: "{{ win22cis_application_max_log_file_size }}" type: dword @@ -2456,7 +2456,7 @@ - name: "18.10.26.2.1 | PATCH | Ensure Security Control Event Log behavior when the log file reaches its maximum size is set to Disabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Security + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Eventlog\Security name: Retention data: 0 type: string @@ -2487,7 +2487,7 @@ - name: "18.10.26.2.2 | PATCH | Ensure Security Specify the maximum log file size KB is set to Enabled 196608 or greater | Set Variable." ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Security + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Eventlog\Security name: MaxSize data: "{{ win22cis_security_max_log_file_size }}" type: dword @@ -2503,7 +2503,7 @@ - name: "18.10.26.3.1 | PATCH | Ensure Setup Control Event Log behavior when the log file reaches its maximum size is set to Disabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Setup + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Eventlog\Setup name: Retention data: 0 type: string @@ -2534,7 +2534,7 @@ - name: "18.10.26.3.2 | PATCH | Ensure Setup Specify the maximum log file size KB is set to Enabled 32768 or greater | Set Variable." ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Setup + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Eventlog\Setup name: MaxSize data: "{{ win22cis_setup_max_log_file_size }}" type: dword @@ -2550,7 +2550,7 @@ - name: "18.10.26.4.1 | PATCH | Ensure System Control Event Log behavior when the log file reaches its maximum size is set to Disabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\System + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Eventlog\System name: Retention data: 0 type: string @@ -2581,7 +2581,7 @@ - name: "18.10.26.4.2 | PATCH | Ensure System Specify the maximum log file size KB is set to Enabled 32768 or greater | Set Variable." ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\System + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Eventlog\System name: MaxSize data: "{{ win22cis_system_max_log_file_size }}" type: dword @@ -2597,7 +2597,7 @@ - name: "18.10.29.2 | PATCH | Ensure Turn off Data Execution Prevention for Explorer is set to Disabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Explorer + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer name: NoDataExecutionPrevention data: 0 type: dword @@ -2612,7 +2612,7 @@ - name: "18.10.29.3 | PATCH | Ensure Turn off heap termination on corruption is set to Disabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Explorer + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer name: NoHeapTerminationOnCorruption data: 0 type: dword @@ -2627,7 +2627,7 @@ - name: "18.10.29.4 | PATCH | Ensure Turn off shell protocol protected mode is set to Disabled" ansible.windows.win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer + path: HKLM:\SOFTWARE\Microsoft\Windows\Currentversion\Policies\Explorer name: PreXPSP2ShellProtocolBehavior data: 0 type: dword @@ -2642,7 +2642,7 @@ - name: "18.10.37.1 | PATCH | Ensure Turn off location is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Locationandsensors + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Locationandsensors name: DisableLocation data: 1 type: dword @@ -2657,7 +2657,7 @@ - name: "18.10.41.1 | PATCH | Ensure Allow Message Service Cloud Sync is set to Disabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Messaging + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Messaging name: AllowMessageSync data: 0 type: dword @@ -2672,7 +2672,7 @@ - name: "18.10.42.1 | PATCH | Ensure Block all consumer Microsoft account user authentication is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\MicrosoftAccount + path: HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftAccount name: DisableUserAuth data: 1 type: dword @@ -2687,7 +2687,7 @@ - name: "18.10.43.5.1 | PATCH | Ensure Configure local setting override for reporting to Microsoft MAPS is set to Disabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet name: LocalSettingOverrideSpynetReporting data: 0 type: dword @@ -2702,7 +2702,7 @@ - name: "18.10.43.5.2 | PATCH | Ensure Join Microsoft MAPS is set to Disabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet name: SpynetReporting data: 0 type: dword @@ -2717,7 +2717,7 @@ - name: "18.10.43.6.1.1 | PATCH | Ensure Configure Attack Surface Reduction rules is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR name: ExploitGuard_ASR_Rules data: 1 type: dword @@ -2732,7 +2732,7 @@ - name: "18.10.43.6.1.2 | PATCH | Ensure Configure Attack Surface Reduction rules Set the state for each ASR rule is configured" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules name: "{{ item }}" data: 1 type: string @@ -2761,7 +2761,7 @@ - name: "18.10.43.6.3.1 | PATCH | Ensure Prevent users and apps from accessing dangerous websites is set to Enabled Block" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection name: EnableNetworkProtection data: 1 type: dword @@ -2823,7 +2823,7 @@ - name: "18.10.43.10.3 | PATCH | Ensure Turn on behavior monitoring is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection name: DisableBehaviorMonitoring data: 0 type: dword @@ -2855,7 +2855,7 @@ - name: "18.10.43.12.1 | PATCH | Ensure Configure Watson events is set to Disabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender\Reporting + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting name: DisableGenericRePorts data: 1 type: dword @@ -2870,7 +2870,7 @@ - name: "18.10.43.13.1 | PATCH | Ensure Scan removable drives is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender\Scan + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Scan name: DisableRemovableDriveScanning data: 0 type: dword @@ -2885,7 +2885,7 @@ - name: "18.10.43.13.2 | PATCH | Ensure Turn on e-mail scanning is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender\Scan + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Scan name: DisableEmailScanning data: 0 type: dword @@ -2900,7 +2900,7 @@ - name: "18.10.43.16 | PATCH | Ensure Configure detection for potentially unwanted applications is set to Enabled Block" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender name: PUAProtection data: 1 type: dword @@ -2915,7 +2915,7 @@ - name: "18.10.43.17 | PATCH | Ensure Turn off Windows Defender AntiVirus is set to Disabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender name: DisableAntiSpyware data: 0 type: dword @@ -2930,7 +2930,7 @@ - name: "18.10.51.1 | PATCH | Ensure Prevent the usage of OneDrive for file storage is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Onedrive + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Onedrive name: DisableFileSyncNGSC data: 1 type: dword @@ -2960,7 +2960,7 @@ - name: "18.10.57.2.2 | PATCH | Ensure Do not allow passwords to be saved is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Nt\Terminal Services name: DisablePasswordSaving data: 1 type: dword @@ -2975,7 +2975,7 @@ - name: "18.10.57.3.2.1 | PATCH | Ensure Restrict Remote Desktop Services users to a single Remote Desktop Services session is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Nt\Terminal Services name: fSingleSessionPerUser data: 1 type: dword @@ -2990,7 +2990,7 @@ - name: "18.10.57.3.3.1 | PATCH | Ensure Allow UI Automation redirection is set to Disabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Nt\Terminal Services name: EnableUiaRedirection data: 0 type: dword @@ -3005,7 +3005,7 @@ - name: "18.10.57.3.3.2 | PATCH | Ensure Do not allow COM port redirection is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Nt\Terminal Services name: fDisableCcm data: 1 type: dword @@ -3020,7 +3020,7 @@ - name: "18.10.57.3.3.3 | PATCH | Ensure Do not allow drive redirection is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Nt\Terminal Services name: fDisableCdm data: 1 type: dword @@ -3035,7 +3035,7 @@ - name: "18.10.57.3.3.4 | PATCH | Ensure Do not allow location redirection is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Nt\Terminal Services name: fDisableLocationRedir data: 1 type: dword @@ -3050,7 +3050,7 @@ - name: "18.10.57.3.3.5 | PATCH | Ensure Do not allow LPT port redirection is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Nt\Terminal Services name: fDisableLPT data: 1 type: dword @@ -3065,7 +3065,7 @@ - name: "18.10.57.3.3.6 | PATCH | Ensure Do not allow supported Plug and Play device redirection is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Nt\Terminal Services name: fDisablePNPRedir data: 1 type: dword @@ -3080,12 +3080,12 @@ - name: "18.10.57.3.3.7 | PATCH | Ensure Do not allow WebAuthn redirection is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Nt\Terminal Services name: fDisableWebAuthn data: 1 type: dword when: - - win22cis_rule_18_10_57_3_3_6 + - win22cis_rule_18_10_57_3_3_7 tags: - level2-domaincontroller - level2-memberserver @@ -3095,7 +3095,7 @@ - name: "18.10.57.3.9.1 | PATCH | Ensure Always prompt for password upon connection is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Nt\Terminal Services name: fPromptForPassword data: 1 type: dword @@ -3110,7 +3110,7 @@ - name: "18.10.57.3.9.2 | PATCH | Ensure Require secure RPC communication is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Nt\Terminal Services name: fEncryptRPCTraffic data: 1 type: dword @@ -3125,7 +3125,7 @@ - name: "18.10.57.3.9.3 | PATCH | Ensure Require use of specific security layer for remote RDP connections is set to Enabled SSL" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Nt\Terminal Services name: SecurityLayer data: 2 type: dword @@ -3140,7 +3140,7 @@ - name: "18.10.57.3.9.4 | PATCH | Ensure Require user authentication for remote connections by using Network Level Authentication is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Nt\Terminal Services name: UserAuthentication data: 1 type: dword @@ -3155,7 +3155,7 @@ - name: "18.10.57.3.9.5 | PATCH | Ensure Set client connection encryption level is set to Enabled High Level" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Nt\Terminal Services name: MinEncryptionLevel data: 3 type: dword @@ -3190,7 +3190,7 @@ - name: "18.10.57.3.10.1 | PATCH | Ensure Set time limit for active but idle Remote Desktop Services sessions is set to Enabled 15 minutes or less | Set Variable." ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Nt\Terminal Services name: MaxIdleTime data: "{{ win22cis_idle_rdp_session_disconnect_time }}" type: dword @@ -3210,7 +3210,7 @@ - name: "18.10.57.3.10.2 | PATCH | Ensure Set time limit for disconnected sessions is set to Enabled 1 minute" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Nt\Terminal Services name: MaxDisconnectionTime data: 60000 type: dword @@ -3225,7 +3225,7 @@ - name: "18.10.57.3.11.1 | PATCH | Ensure Do not delete temp folders upon exit is set to Disabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Nt\Terminal Services name: DeleteTempDirsOnExit data: 1 type: dword @@ -3240,7 +3240,7 @@ - name: "18.10.57.3.11.2 | PATCH | Ensure Do not use temporary folders per session is set to Disabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Nt\Terminal Services name: PerSessionTempDir data: 1 type: dword @@ -3255,7 +3255,7 @@ - name: "18.10.58.1 | PATCH | Ensure Prevent downloading of enclosures is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds + path: HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds name: DisableEnclosureDownload data: 1 type: dword @@ -3270,7 +3270,7 @@ - name: "18.10.59.2 | PATCH | Ensure Allow Cloud Search is set to Enabled Disable Cloud Search" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Windows Search + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search name: AllowCloudSearch data: 0 type: dword @@ -3286,7 +3286,7 @@ - name: "18.10.59.3 | PATCH | Ensure Allow indexing of encrypted files is set to Disabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Windows Search + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search name: AllowIndexingEncryptedStoresOrItems data: 0 type: dword @@ -3302,7 +3302,7 @@ - name: "18.10.59.4 | PATCH | Ensure Allow search highlights is set to Disabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Windows Search + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search name: EnableDynamicContentInWSB data: 0 type: dword @@ -3317,7 +3317,7 @@ - name: "18.10.63.1 | PATCH | Ensure Turn off KMS Client Online AVS Validation is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Currentversion\Software Protection Platform + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Nt\Currentversion\Software Protection Platform name: NoGenTicket data: 1 type: dword @@ -3334,14 +3334,14 @@ block: - name: "18.10.76.2.1 | PATCH | Ensure Configure Windows Defender SmartScreen is set to Enabled Warn and prevent bypass | EnableSmartScreen" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\System + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System name: EnableSmartScreen data: 1 type: dword - name: "18.10.76.2.1 | PATCH | Ensure Configure Windows Defender SmartScreen is set to Enabled Warn and prevent bypass | ShellSmartScreenLevel" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\System + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System name: ShellSmartScreenLevel data: Block type: string @@ -3356,7 +3356,7 @@ - name: "18.10.80.1 | PATCH | Ensure Allow suggested apps in Windows Ink Workspace is set to Disabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\WindowsInkWorkspace + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace name: AllowSuggestedAppsInWindowsInkWorkspace data: 0 type: dword @@ -3406,7 +3406,7 @@ - name: "18.10.80.2 | PATCH | Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled' | Set Variable." ansible.windows.win_regedit: - path: HKLM:\Software\Microsoft\Policies\Microsoft\WindowsInkWorkspace + path: HKLM:\SOFTWARE\Microsoft\Policies\Microsoft\WindowsInkWorkspace name: AllowWindowsInkWorkspace data: "{{ win22cis_allow_windows_ink_workspace }}" type: dword @@ -3422,7 +3422,7 @@ - name: "18.10.81.1 | PATCH | Ensure Allow user control over installs is set to Disabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Installer + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer name: EnableUserControl data: 0 type: dword @@ -3436,7 +3436,7 @@ - name: "18.10.81.2 | PATCH | Ensure 'Always install with elevated privileges' is set to 'Disabled'" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Installer + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer name: AlwaysInstallElevated data: 0 type: dword @@ -3450,7 +3450,7 @@ - name: "18.10.81.3 | PATCH | Ensure Prevent Internet Explorer security prompt for Windows Installer scripts is set to Disabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Installer + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer name: SafeForScripting data: 0 type: dword @@ -3465,7 +3465,7 @@ - name: "18.10.82.1 | PATCH | Ensure Enable MPR notifications for the system is set to Disabled" ansible.windows.win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + path: HKLM:\SOFTWARE\Microsoft\Windows\Currentversion\Policies\System name: EnableMPR data: 0 type: dword @@ -3480,7 +3480,7 @@ - name: "18.10.82.2 | PATCH | Ensure Sign-in last interactive user automatically after a system-initiated restart is set to Disabled" ansible.windows.win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + path: HKLM:\SOFTWARE\Microsoft\Windows\Currentversion\Policies\System name: DisableAutomaticRestartSignOn data: 1 type: dword @@ -3510,7 +3510,7 @@ - name: "18.10.87.2 | PATCH | Ensure Turn on PowerShell Transcription is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Powershell\Transcription + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Powershell\Transcription name: EnableTranscripting data: 1 type: dword @@ -3525,7 +3525,7 @@ - name: "18.10.89.1.1 | PATCH | Ensure Allow Basic authentication is set to Disabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Client + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Winrm\Client name: AllowBasic data: 0 type: dword @@ -3541,7 +3541,7 @@ - name: "18.10.89.1.2 | PATCH | Ensure Allow unencrypted traffic is set to Disabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Client + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Winrm\Client name: AllowUnencryptedTraffic data: 0 type: dword @@ -3557,7 +3557,7 @@ - name: "18.10.89.1.3 | PATCH | Ensure Disallow Digest authentication is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Client + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Winrm\Client name: AllowDigest data: 0 type: dword @@ -3572,7 +3572,7 @@ - name: "18.10.89.2.1 | PATCH | Ensure Allow Basic authentication is set to Disabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Winrm\Service name: AllowBasic data: 0 type: dword @@ -3589,7 +3589,7 @@ # This control will have to be set to Enabled (1) to allow for continued remote management via Ansible following machine restart - name: "18.10.89.2.2 | PATCH | Ensure Allow remote server management through WinRM is set to Disabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Winrm\Service name: AllowAutoConfig data: 0 type: dword @@ -3605,7 +3605,7 @@ - name: "18.10.89.2.3 | PATCH | Ensure Allow unencrypted traffic is set to Disabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Winrm\Service name: AllowUnencryptedTraffic data: 0 type: dword @@ -3622,7 +3622,7 @@ - name: "18.10.89.2.4 | PATCH | Ensure Disallow WinRM from storing RunAs credentials is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Winrm\Service name: DisableRunAs data: 1 type: dword @@ -3637,7 +3637,7 @@ - name: "18.10.90.1 | PATCH | Ensure Allow Remote Shell Access is set to Disabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service\Winrs + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Winrm\Service\Winrs name: AllowRemoteShellAccess data: 0 type: dword @@ -3653,7 +3653,7 @@ - name: "18.10.92.2.1 | PATCH | Ensure Prevent users from modifying settings is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender Security Center\App and Browser protection + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection name: DisallowExploitProtectionOverride data: 1 type: dword @@ -3668,7 +3668,7 @@ - name: "18.10.93.1.1 | PATCH | Ensure No auto-restart with logged on users for scheduled automatic updates installations is set to Disabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windowsupdate\Au name: NoAutoRebootWithLoggedOnUsers data: 0 type: dword @@ -3683,7 +3683,7 @@ - name: "18.10.93.2.1 | PATCH | Ensure Configure Automatic Updates is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windowsupdate\Au name: NoAutoUpdate data: 0 type: dword @@ -3698,7 +3698,7 @@ - name: "18.10.93.2.2 | PATCH | Ensure Configure Automatic Updates Scheduled install day is set to 0 - Every day" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windowsupdate\Au name: ScheduledInstallDay data: 0 type: dword @@ -3715,14 +3715,14 @@ block: - name: "18.10.93.4.1 | PATCH | Ensure Manage preview builds is set to Enabled Disable preview builds | ManagePreviewBuilds" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate name: ManagePreviewBuilds data: 1 type: dword - name: "18.10.93.4.1 | PATCH | Ensure Manage preview builds is set to Enabled Disable preview builds | ManagePreviewBuilds" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate name: ManagePreviewBuildsPolicyValue data: 1 type: dword @@ -3739,7 +3739,7 @@ block: - name: "18.10.93.4.2 | PATCH | Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: 180 or more days' | DeferFeatureUpdates" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate name: DeferFeatureUpdates data: 1 type: dword @@ -3760,7 +3760,7 @@ - name: "18.10.93.4.2 | PATCH | Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: 180 or more days' | DeferFeatureUpdatesPeriodInDays" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate name: DeferFeatureUpdatesPeriodInDays data: "{{ win22cis_defer_feature_updates_period_in_days }}" type: dword diff --git a/tasks/section19.yml b/tasks/section19.yml index 0c6a872..a8e7eb3 100644 --- a/tasks/section19.yml +++ b/tasks/section19.yml @@ -2,7 +2,7 @@ - name: "19.1.3.1 | PATCH | Ensure Enable screen saver is set to Enabled" ansible.windows.win_regedit: - path: HKU:\{{ item }}\Software\Policies\Microsoft\Windows\Control Panel\Desktop + path: HKU:\{{ item }}\SOFTWARE\Policies\Microsoft\Windows\Control Panel\Desktop name: ScreenSaveActive data: 1 type: string @@ -19,7 +19,7 @@ - name: "19.1.3.2 | PATCH | Ensure Password protect the screen saver is set to Enabled" ansible.windows.win_regedit: - path: HKU:\{{ item }}\Software\Policies\Microsoft\Windows\Control Panel\Desktop + path: HKU:\{{ item }}\SOFTWARE\Policies\Microsoft\Windows\Control Panel\Desktop name: ScreenSaverIsSecure data: 1 type: string @@ -56,7 +56,7 @@ - name: "19.1.3.3 | PATCH | Ensure Screen saver timeout is set to Enabled 900 seconds or fewer but not 0" ansible.windows.win_regedit: - path: HKU:\{{ item }}\Software\Policies\Microsoft\Windows\Control Panel\Desktop + path: HKU:\{{ item }}\SOFTWARE\Policies\Microsoft\Windows\Control Panel\Desktop name: ScreenSaveTimeOut data: "{{ win22cis_screen_saver_timeout }}" type: string @@ -73,7 +73,7 @@ - name: "19.5.1.1 | PATCH | Ensure Turn off toast notifications on the lock screen is set to Enabled" ansible.windows.win_regedit: - path: HKU:\{{ item }}\Software\Policies\Microsoft\Windows\Currentversion\Pushnotifications + path: HKU:\{{ item }}\SOFTWARE\Policies\Microsoft\Windows\Currentversion\Pushnotifications name: NoToastApplicationNotificationOnLockScreen data: 1 type: dword @@ -90,7 +90,7 @@ - name: "19.6.6.1.1 | PATCH | Ensure Turn off Help Experience Improvement Program is set to Enabled" ansible.windows.win_regedit: - path: HKU:\{{ item }}\Software\Policies\Microsoft\Assistance\Client\1.0 + path: HKU:\{{ item }}\SOFTWARE\Policies\Microsoft\Assistance\Client\1.0 name: NoImplicitFeedback data: 1 type: dword @@ -107,7 +107,7 @@ - name: "19.7.4.1 | PATCH | Ensure Do not preserve zone information in file attachments is set to Disabled" ansible.windows.win_regedit: - path: HKU:\{{ item }}\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments + path: HKU:\{{ item }}\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments name: SaveZoneInformation data: 2 type: dword @@ -124,7 +124,7 @@ - name: "19.7.4.2 | PATCH | Ensure Notify antivirus programs when opening attachments is set to Enabled" ansible.windows.win_regedit: - path: HKU:\{{ item }}\Software\Microsoft\Windows\Currentversion\Policies\Attachments + path: HKU:\{{ item }}\SOFTWARE\Microsoft\Windows\Currentversion\Policies\Attachments name: ScanWithAntiVirus data: 3 type: dword @@ -141,7 +141,7 @@ - name: "19.7.7.1 | PATCH | Ensure Configure Windows spotlight on lock screen is set to Disabled" ansible.windows.win_regedit: - path: HKU:\{{ item }}\Software\Policies\Microsoft\Windows\CloudContent + path: HKU:\{{ item }}\SOFTWARE\Policies\Microsoft\Windows\CloudContent name: ConfigureWindowsSpotlight data: 2 type: dword @@ -158,7 +158,7 @@ - name: "19.7.7.2 | PATCH | Ensure Do not suggest third-party content in Windows spotlight is set to Enabled" ansible.windows.win_regedit: - path: HKU:\{{ item }}\Software\Policies\Microsoft\Windows\CloudContent + path: HKU:\{{ item }}\SOFTWARE\Policies\Microsoft\Windows\CloudContent name: DisableThirdPartySuggestions data: 1 type: dword @@ -175,7 +175,7 @@ - name: "19.7.7.3 | PATCH | Ensure Do not use diagnostic data for tailored experiences is set to Enabled" ansible.windows.win_regedit: - path: HKU:\{{ item }}\Software\Policies\Microsoft\Windows\CloudContent + path: HKU:\{{ item }}\SOFTWARE\Policies\Microsoft\Windows\CloudContent name: DisableTailoredExperiencesWithDiagnosticData data: 1 type: dword @@ -192,7 +192,7 @@ - name: "19.7.7.4 | PATCH | Ensure Turn off all Windows spotlight features is set to Enabled" ansible.windows.win_regedit: - path: HKU:\{{ item }}\Software\Policies\Microsoft\Windows\CloudContent + path: HKU:\{{ item }}\SOFTWARE\Policies\Microsoft\Windows\CloudContent name: DisableWindowsSpotlightFeatures data: 1 type: dword @@ -226,7 +226,7 @@ - name: "19.7.25.1 | PATCH | Ensure Prevent users from sharing files within their profile. is set to Enabled" ansible.windows.win_regedit: - path: HKU:\{{ item }}\Software\Microsoft\Windows\Currentversion\Policies\Explorer + path: HKU:\{{ item }}\SOFTWARE\Microsoft\Windows\Currentversion\Policies\Explorer name: NoInplaceSharing data: 1 type: dword @@ -244,7 +244,7 @@ - name: "19.7.40.1 | PATCH | Ensure Always install with elevated privileges is set to Disabled" ansible.windows.win_regedit: - path: HKU:\{{ item }}\Software\Policies\Microsoft\Windows\Installer + path: HKU:\{{ item }}\SOFTWARE\Policies\Microsoft\Windows\Installer name: AlwaysInstallElevated data: 0 type: dword @@ -261,7 +261,7 @@ - name: "19.7.42.2.1 | PATCH | Ensure Prevent Codec Download is set to Enabled" ansible.windows.win_regedit: - path: HKU:\{{ item }}\Software\Policies\Microsoft\Windowsmediaplayer + path: HKU:\{{ item }}\SOFTWARE\Policies\Microsoft\Windowsmediaplayer name: PreventCodecDownload data: 1 type: dword