forked from mondoohq/cnspec-policies
-
Notifications
You must be signed in to change notification settings - Fork 0
/
mondoo-windows-workstation-security.mql.yaml
228 lines (177 loc) · 13.8 KB
/
mondoo-windows-workstation-security.mql.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
# Copyright (c) Mondoo, Inc.
# SPDX-License-Identifier: BUSL-1.1
policies:
- uid: mondoo-windows-workstation-security
name: Windows Workstation Security
version: 0.4.0
license: BUSL-1.1
tags:
mondoo.com/category: security
mondoo.com/platform: windows
authors:
- name: Mondoo, Inc
email: [email protected]
docs:
desc: |
## Overview
This policy provides prescriptive guidance for establishing a secure configuration posture for Windows Client systems running on x86 and x64 platforms.
Commands and scripts are provided which should work on Windows 10 and 11.
### Intended Audience
This benchmark is intended for system and application administrators, security specialists, auditors, help desk, and platform deployment personnel who plan to develop, deploy, assess, or secure solutions that incorporate Windows on x86 or x64 platforms.
## Local scan
Local scan refer to scans of files and operating systems where cnspec is installed.
To scan the `localhost` against this policy:
```bash
cnspec scan local
```
## Remote scan
Remote scans use cnspec providers to retrieve on-demand scan results without having to install any agents.
For a complete list of providers run:
```bash
cnspec scan --help
```
### Prerequisites
Remote scans of Linux hosts requires authentication such as SSH keys.
### Scan a remote Windows system (SSH authentication)
```bash
cnspec scan ssh <user>@<IP_ADDRESS> --ask-pass
```
## Join the community!
Our goal is to build policies that are simple to deploy, accurate, and actionable.
If you have any suggestions for how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions.
groups:
- title: Secure Boot
filters: |
asset.platform.contains("windows")
windows.computerInfo['OsProductType'] == 1
checks:
- uid: mondoo-windows-workstation-security-antivirus-installed
- uid: mondoo-windows-workstation-security-automatic-update-is-enabled
- uid: mondoo-windows-workstation-security-bitlocker-enabled
- uid: mondoo-windows-workstation-security-secure-boot-is-enabled
scoring_system: highest impact
queries:
- uid: mondoo-windows-workstation-security-bitlocker-enabled
title: Ensure BitLocker Encryption is Enabled
impact: 100
mql: windows.bitlocker.volumes.all( protectionStatus["text"] == "Protected" )
docs:
desc: |
Encryption processes encode data in a manner that makes it unusable to unauthorized users who do not have the decryption key. The main advantage of encryption is that it turns data into an unreadable form that cannot be used when the notebook is stolen. Windows offers BitLocker, which enables you to encrypt entire drives and prevent unauthorized system changes.
Microsoft designed BitLocker to provide encryption for disk volumes. It is a free and built-in feature in many Windows versions, including Windows Vista and Windows 10. BitLocker asks users for a password, generates a recovery key, and encrypts the entire hard drive.
remediation: |
Turn on device encryption
1. Sign in to Windows with an administrator account (you may have to sign out and back in to switch accounts). For more info, see Create a local or administrator account in Windows.
2. Select the Start button, then select Settings > Update & Security > Device encryption. If Device encryption doesn't appear, it isn't available. You may be able to use standard BitLocker encryption instead. Open Device encryption in Settings.
3. If device encryption is turned off, select Turn on.
Turn on standard BitLocker encryption
1. Sign in to your Windows device with an administrator account (you may have to sign out and back in to switch accounts). For more info, see Create a local or administrator account in Windows.
2. In the search box on the taskbar, type Manage BitLocker and then select it from the list of results. Or, select the Start button, and then under Windows System, select Control Panel. In Control Panel, select System and Security, and then under BitLocker Drive Encryption, select Manage BitLocker.
Note: You'll only see this option if BitLocker is available for your device. It isn't available on Windows 10 Home edition.
3. Select Turn on BitLocker and then follow the instructions.
refs:
- url: https://support.microsoft.com/en-us/windows/turn-on-device-encryption-0c453637-bc88-5f74-5105-741561aae838#:~:text=Turn%20on%20standard%20BitLocker%20encryption,-Sign%20in%20to&text=In%20the%20search%20box%20on,is%20available%20for%20your%20device.
title: Turn on device encryption
- uid: mondoo-windows-workstation-security-secure-boot-is-enabled
title: Ensure Secure Boot is enabled
impact: 100
mql: |
powershell("Confirm-SecureBootUEFI").stdout.trim.downcase == 'true'
docs:
desc: |
Secure Boot is a boot integrity feature that is part of the Unified Extensible Firmware Interface (UEFI) industry standard. Most modern computer systems are delivered to customers with a standard Secure Boot policy installed.
remediation: |
Enable Secure Boot in your computer's firmware.
refs:
- url: https://media.defense.gov/2020/Sep/15/2002497594/-1/-1/0/CTR-UEFI-Secure-Boot-Customization-UOO168873-20.PDF
title: UEFI Secure Boot Customization
- uid: mondoo-windows-workstation-security-automatic-update-is-enabled
title: Ensure Automatic Windows Update is enabled
impact: 100
mql: |
registrykey.property(path: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU', name: 'NoAutoUpdate') {
value >= 4
}
registrykey.property(path: 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU', name: 'ScheduledInstallDay') {
value == 0
}
docs:
desc: |
Auto updates are important for Windows because they help to ensure the security and stability of the operating system. Here are some of the key reasons why auto updates are important:
Security: Updates often contain security patches that help protect your computer from vulnerabilities that could be exploited by hackers or malware. By keeping your system up to date, you reduce the risk of being hacked or having your personal data compromised.
Bug fixes: Updates can also fix bugs and other issues that can cause crashes or other problems. By keeping your system up to date, you ensure that you have access to the latest fixes and improvements, which can help improve performance and reliability.
New features: Updates can also introduce new features and improvements to the Windows operating system. By keeping your system up to date, you ensure that you have access to these new features and can take advantage of the latest advancements in technology.
Overall, auto updates are important for Windows because they help keep your system secure, stable, and up to date with the latest features and improvements.
remediation: |
Under
```
Computer Configuration\Administrative Templates\Windows Components\Windows update\Configure Automatic Updates
```
, you must select one of the following options:
2 - Notify for download and auto install - When Windows finds updates that apply to this device, users will be notified that updates are ready to be downloaded. After going to Settings > Update & security > Windows Update, users can download and install any available updates.
3 - Auto download and notify for Install - Windows finds updates that apply to the device and downloads them in the background (the user is not notified or interrupted during this process). When the downloads are complete, users will be notified that they are ready to install. After going to Settings > Update & security > Windows Update, users can install them.
4 - Auto download and schedule the install - Specify the schedule using the options in the Group Policy Setting. For more information about this setting, see Schedule update installation.
5 - Allow local admin to choose setting - With this option, local administrators will be allowed to use the settings app to select a configuration option of their choice. Local administrators will not be allowed to disable the configuration for Automatic Updates. This option is not available in any Windows 10 or later versions.
7 - Notify for install and notify for restart (Windows Server 2016 and later only) - With this option, when Windows finds updates that apply to this device, they will be downloaded, then users will be notified that updates are ready to be installed. Once updates are installed, a notification will be displayed to users to restart the device.
```powershell
$keypath = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU"
$keyname = "NoAutoUpdate"
New-Item -Path $keypath -Name $keyname -Force
Set-ItemProperty -Path $keypath -Name $keyname -Value "4"
```
Configure Scheduled install day for every day (set to 0) under
```
Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update\Manage end user experience\Configure Automatic Updates: Scheduled install day
```
```powershell
$keypath = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU"
$keyname = "ScheduledInstallDay"
New-Item -Path $keypath -Name $keyname -Force
Set-ItemProperty -Path $keypath -Name $keyname -Value "0"
```
Critical operating system updates and service packs will automatically download every day (at 3:00 A.M., by default).
refs:
- url: https://learn.microsoft.com/en-us/windows/deployment/update/waas-wu-settings
title: Manage additional Windows Update settings
- url: https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/18127499
title: Configure Automatic Updates in a Non–Active Directory Environment
- uid: mondoo-windows-workstation-security-antivirus-installed
title: Ensure AntiVirus is installed, enabled and up-to-date
impact: 100
mql: |
windows.security.products.one(
type == "antivirus" &&
productState == "ON" &&
signatureState == "UP-TO-DATE" &&
timestamp - time.now < 25 * time.hour
)
docs:
desc: |
Auto updates are important for Windows because they help to ensure the security and stability of the operating system. Here are some of the key reasons why auto updates are important:
Security: Updates often contain security patches that help protect your computer from vulnerabilities that could be exploited by hackers or malware. By keeping your system up to date, you reduce the risk of being hacked or having your personal data compromised.
Bug fixes: Updates can also fix bugs and other issues that can cause crashes or other problems. By keeping your system up to date, you ensure that you have access to the latest fixes and improvements, which can help improve performance and reliability.
New features: Updates can also introduce new features and improvements to the Windows operating system. By keeping your system up to date, you ensure that you have access to these new features and can take advantage of the latest advancements in technology.
Overall, auto updates are important for Windows because they help keep your system secure, stable, and up to date with the latest features and improvements.
remediation: |
Complete the following steps to turn on Microsoft Defender Antivirus on your device.
1. Select the Start menu.
2. In the search bar, type Group Policy. Then select Edit Group Policy from the listed results. The Local Group Policy Editor opens.
3. Select Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus.
4. Scroll to the bottom of the list and select Turn off Microsoft Defender Antivirus.
5. Select Disabled or Not configured. It might feel counter-intuitive to select these options because the names suggest that you're turning Microsoft Defender Antivirus off. Don't worry, these options actually ensure that it's turned on.
6. Select Apply > OK.
If running these manually, they must be run line by line in order to function properly.
```powershell
Set-MpPreference -DisableRealtimeMonitoring $false
Set-MpPreference -DisableIOAVProtection $false
New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name "Real-Time Protection" -Force
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableBehaviorMonitoring" -Value 0 -PropertyType DWORD -Force
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableOnAccessProtection" -Value 0 -PropertyType DWORD -Force
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableScanOnRealtimeEnable" -Value 0 -PropertyType DWORD -Force
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name "DisableAntiSpyware" -Value 0 -PropertyType DWORD -Force
start-service WinDefend
start-service WdNisSvc
```
refs:
- url: https://learn.microsoft.com/en-us/mem/intune/user-help/turn-on-defender-windows
title: Turn on Microsoft Defender Antivirus to access company resources