Merge pull request #100 from ansible-lockdown/2024_APRIL_UPDATE

2024 April Update: Section 1.2.x Logic, Section 19 HKU Improvement, Handler Fixes, Prelim Fixes

ChangeLog.md

@@ -2,6 +2,12 @@
 
 ## Release 2.0.1
 
+April 2024 Update
+- Thank you @MrSteve81 for the enhancements to this release!
+    - Improved 19.x section logic for Windows local user SIDs and HKU support.
+    - Reboot handler and logic Improvement with skip_reboot var feature.
+    - win_skip_for_test var update with additional description and supported controls of 18.10.89.2.2
+
 February 2024 Update
 - Issues Addressed:
     - [#88](https://github.com/ansible-lockdown/Windows-2019-CIS/issues/88) - Thank you @animatco

defaults/main.yml

@@ -34,16 +34,21 @@ min_ansible_version: "2.10.1"
 
 # win_skip_for_test is the setting that will skip tasks that may cause changes that will affect the system.
 # Controls that will be skipped:
-# win19cis_rule_2_3_1_5
-# win19cis_rule_9_3_5
-# win19cis_rule_18_9_102_1_1
-# win19cis_rule_18_9_102_1_2
-# win19cis_rule_18_9_102_2_1
-# win19cis_rule_18_9_102_2_2
-# win19cis_rule_18_9_102_2_3
-# win19cis_rule_18_9_103_1
+# win19cis_rule_2_3_1_4 - Rename default administrator account
+# win19cis_rule_9_3_5 - Enables Firewall Public Rules *Breaks Reboot*
+# win19cis_rule_18_10_89_1_1 - Disables WinRM Allow Client Basic Auth
+# win19cis_rule_18_10_89_1_2 - Disables Client Ensure Allow unencrypted traffic is set to Disabled Control.
+# win19cis_rule_18_10_89_2_1 - Disables WinRM Allow Service Basic Auth
+# win19cis_rule_18_10_89_2_2 - Disables Remote Server Management through WinRM
+# win19cis_rule_18_10_89_2_3 - Disables Service Ensure Allow unencrypted traffic is set to Disabled Control.
+# win19cis_rule_18_10_90_1 - Disables Remote Shell Access
 win_skip_for_test: false
 
+# Changes will be made that will require a system reboot.
+# The following option will allow whether or not to skip the reboot.
+# Default: true
+skip_reboot: true
+
 # These variables correspond with the CIS rule IDs or paragraph numbers defined in
 # the CIS benchmark documents.
 # PLEASE NOTE: These work in coordination with the section # group variables and tags.
@@ -120,10 +125,9 @@ win19cis_rule_2_3_1_1: true
 win19cis_rule_2_3_1_2: true
 win19cis_rule_2_3_1_3: true
 win19cis_rule_2_3_1_4: true
-# Setting win19cis_rule_2_3_1_5 Control To True Will Break Ansible Connection
+# Setting win19cis_rule_2_3_1_4 Control To True Will Break Ansible Connection
 # Setting win_skip_for_test: true -- will skip the controls here even if they are set to true.
 win19cis_rule_2_3_1_5: true
-win19cis_rule_2_3_1_6: true
 win19cis_rule_2_3_2_1: true
 win19cis_rule_2_3_2_2: true
 win19cis_rule_2_3_4_1: true
@@ -329,7 +333,7 @@ win19cis_rule_18_9_5_4: true
 win19cis_rule_18_9_5_5: true
 win19cis_rule_18_9_5_6: true
 win19cis_rule_18_9_5_7: true
-win19cis_rule_18_8_7_2: true
+win19cis_rule_18_9_7_2: true
 win19cis_rule_18_9_13_1: true
 win19cis_rule_18_9_19_2: true
 win19cis_rule_18_9_19_3: true
@@ -363,7 +367,7 @@ win19cis_rule_18_9_27_7: true
 win19cis_rule_18_9_30_1: true
 win19cis_rule_18_9_30_2: true
 win19cis_rule_18_9_32_6_1: true
-win19cis_rule_18_3_32_6_2: true
+win19cis_rule_18_9_32_6_2: true
 win19cis_rule_18_9_32_6_3: true
 win19cis_rule_18_9_32_6_4: true
 win19cis_rule_18_9_34_1: true
@@ -462,7 +466,6 @@ win19cis_rule_18_10_81_1: true
 win19cis_rule_18_10_81_2: true
 win19cis_rule_18_10_81_3: true
 win19cis_rule_18_10_82_1: true
-win19cis_rule_18_10_82_2: true
 win19cis_rule_18_10_87_1: true
 win19cis_rule_18_10_87_2: true
 # WINRM CONTROLS #
@@ -475,12 +478,10 @@ win19cis_rule_18_10_87_2: true
 # win19cis_rule_18_10_89_2_3
 win19cis_rule_18_10_89_1_1: true
 win19cis_rule_18_10_89_1_2: true
+win19cis_rule_18_10_89_1_3: true
 win19cis_rule_18_10_89_2_1: true
-win19cis_rule_18_10_89_2_2: true
+win19cis_rule_18_10_89_2_2: true # This control will have to be set to Enabled (1) to allow for continued remote management via Ansible following machine restart. We have it set to skip for testing.
 win19cis_rule_18_10_89_2_3: true
-# This control will have to be set to Enabled (1) to allow for continued remote management via Ansible following
-# machine restart. The CIS standard calls for 0 but doing so will break all remote connections to the system.
-win19cis_rule_18_10_89_1_3: true
 win19cis_rule_18_10_89_2_4: true
 win19cis_rule_18_10_90_1: true
 # WINRM CONTROLS END #
@@ -587,11 +588,11 @@ win19cis_increase_scheduling_priority_users: '{{ ["Administrators"] if (windows_
 # The recommended state for this setting is: Administrators and when Exchange is running in the environment) Exchange Servers.
 win19cis_exchange_server_running: false
 
-# 2.3.1.5
+# 2.3.1.4
 # win19cis_admin_username is the name the administrator account will be renamed to
 win19cis_admin_username: adminchangethis
 
-# 2.3.1.6
+# 2.3.1.5
 # win19cis_guest_username is the name the guest account will be renamed to
 win19cis_guest_username: guestchangethis
 
@@ -642,12 +643,59 @@ win19cis_cached_logons_count: 1
 # The recommended state for this setting is: between 5 and 14 days.
 win19cis_password_expiry_warning_days: 14
 
+# 2.3.7.9
+# win19cis_sc_remove_option is the setting determines what happens when the smart card for a logged-on user is removed from the smart card reader.
+# Note: Possible Valid Settings
+# 1 - Lock Workstation
+# 2 - Force Loggoff
+# 3 - Disconnect if a Remote Desktop Services session
+# Default: 1
+win19cis_sc_remove_option: 1
+
 # 2.3.9.1
 # win19cis_smb_auto_disconnect_time is the policy setting that allows you to specify the amount of continuous idle time that must pass in an
 # SMB session before the session is suspended because of inactivity.
 # The recommended state for this setting is: 15 or fewer minute(s).
 win19cis_smb_auto_disconnect_time: 15
 
+# 2.3.9.5
+# win19cis_smb_server_name_hardening_level is the policy setting controls the level of validation a computer with shared
+# folders or printers (the server) performs on the service principal name (SPN) that is provided by the client computer when
+# it establishes a session using the server message block (SMB) protocol.
+# Note: Possible Valid Settings
+# 1 - Accept if provided by client
+# 2 - Required from client
+# Default: 1
+win19cis_smb_server_name_hardening_level: 1
+
+# 2.3.11.4
+# win19cis_legacy_rc4_hmac_md5_support is the setting to configure the Windows 11 machine to support older kerberos.
+# Note: Some legacy applications and OSes may still require RC4_HMAC_MD5 - we recommend you test in your environment
+# and verify whether you can safely remove it.
+# CIS prefers keeping this setting as False to satisfy the requirements.
+# Default: false
+win19cis_legacy_rc4_hmac_md5_support: false
+
+# 2.3.11.8
+# win19cis_ldap_client_integrity is the policy setting determines the level of data signing that is requested on
+# behalf of clients that issue LDAP BIND requests. Configuring this setting to Require signing also conforms to the benchmark.
+# The recommended state for this setting is: Negotiate signing.
+# Note: Possible Valid Settings
+# 1 - Negotiate signing
+# 2 - Require signing
+# Default: 1
+win19cis_ldap_client_integrity: 1
+
+# 2.3.17.2
+# win19cis_consent_prompt_behavior_admin is the policy setting controls the behavior of the elevation prompt for administrators.
+# Configuring this setting to Prompt for credentials on the secure desktop also conforms to the benchmark.
+# The recommended state for this setting is: Prompt for consent on the secure desktop.
+# Note: Possible Valid Settings
+# 1 - Prompt for credentials on the secure desktop
+# 2 - Prompt for consent on the secure desktop
+# Default: 2
+win19cis_consent_prompt_behavior_admin: 2
+
 # Section 9 Variables
 
 # 9.1.5
@@ -682,7 +730,6 @@ win19cis_public_firewall_log_size: 16384
 
 # Section 18 Variables
 
-
 # 18.3.5
 # win19cis_laps_password_length is the LAPS tool password length.
 # The recommended state for this setting is: Enabled: 15 or more.
@@ -712,16 +759,6 @@ win19cis_screen_saver_grace_period: 5
 # The recommended state for this setting is: Enabled: 90% or less.
 win19cis_log_threshold_audit_event: 90
 
-# 18.6.4.1
-# win19cis_doh_policy os the setting determines if DNS over HTTPS (DoH) is used by the system. DNS over HTTPS (DoH) is a protocol
-# for performing remote Domain Name System (DNS) resolution over the Hypertext Transfer Protocol Secure (HTTPS).
-# The recommended state for this setting is: Enabled: Allow DoH.
-# Note: Possible Valid Settings
-# 2 - Enabled: Allow DoH
-# 3 - Enabled: Require DoH
-# Default: 2
-win19cis_doh_policy: 2
-
 # 18.6.4.1
 # win19cis_enable_netbios_policy is the policy that setting specifies if the Domain Name System (DNS) client will perform name resolution
 # over Network Basic Input/Output System (NetBIOS).

handlers/main.yml

@@ -1,5 +1,7 @@
 ---
 
-- name: reboot_windows
-  ansible.windows.win_reboot:
-      reboot_timeout: 3600
+- name: change_requires_reboot
+  ansible.builtin.set_fact:
+      reboot_host: true
+  tags:
+      - always

tasks/main.yml

@@ -87,6 +87,12 @@
   tags:
       - section19
 
+- name: Run Post Tasks
+  ansible.builtin.import_tasks:
+      file: post.yml
+  tags:
+      - always
+
 - name: If Warnings found Output count and control IDs affected
   ansible.builtin.debug:
       msg:

tasks/post.yml

@@ -0,0 +1,36 @@
+---
+
+- name: "POST | Flush Handlers"
+  ansible.builtin.meta: flush_handlers
+  tags:
+      - always
+
+- name: "POST | Reboot System Options"
+  block:
+      - name: "POST | Rebooting System................. Skip Reboot Has Been Set To: False"
+        ansible.windows.win_reboot:
+            reboot_timeout: 3600
+        when:
+            - reboot_host
+            - not skip_reboot
+
+      - name: "POST | Warning A Reboot Is Required, Skip Reboot Has Been Set"
+        ansible.builtin.debug:
+            msg:
+                - "Warning!! Changes Have Been Made That Require A Reboot To Be Implemented Manually."
+                - "Skip Reboot Was Set To: True - This Can Affect Compliance Check Results."
+        changed_when: true
+        when:
+            - reboot_host
+            - skip_reboot
+
+      - name: "POST | Warning A Reboot Is Required, Skip Reboot Has Been Set | Warning Count"
+        ansible.builtin.import_tasks:
+            file: warning_facts.yml
+        when:
+            - reboot_host
+            - skip_reboot
+  vars:
+      warn_control_id: Reboot_Required
+  tags:
+      - always

tasks/prelim.yml

@@ -1,6 +1,6 @@
 ---
 
-- name: Set System Facts Based On Gather Facts Module
+- name: PRELIM | Set System Facts Based On Gather Facts Module
   block:
       - name: Set fact is system is standalone
         ansible.builtin.set_fact:
@@ -26,7 +26,7 @@
 # Current list is elastic and will be updated as we test more cloud based services.
 # Current testing is working in Azure using Hyper-V. We are currently using this for reference:
 # https://github.com/ansible/ansible/blob/905131fc76a07cf89dbc8d33e7a4910da3f10a16/lib/ansible/module_utils/facts/virtual/linux.py#L205
-- name: Set Fact If Cloud-Based System.
+- name: PRELIM | Set Fact If Cloud-Based System.
   ansible.builtin.set_fact:
       win19cis_cloud_based_system: true
   when:
@@ -36,16 +36,52 @@
   tags:
       - always
 
-- name: Get Windows installation type
+- name: PRELIM | Get Windows installation type
   ansible.windows.win_reg_stat:
       path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion
       name: InstallationType
   register: get_windows_installation_type
   tags:
       - always
 
-- name: Set Windows installation type
+- name: PRELIM | Set Windows installation type
   ansible.builtin.set_fact:
       windows_installation_type: "{{ get_windows_installation_type.value | default('') }}"
   tags:
       - always
+
+- name: PRELIM | Obtain And Load Default Hive As Well As User Hives
+  block:
+      - name: PRELIM | Load Default User Hive (Account That All New Users Get Created From Profile)
+        ansible.windows.win_shell: REG LOAD HKU\DEFAULT C:\Users\Default\NTUSER.DAT
+        changed_when: false
+        failed_when: false
+
+      - name: PRELIM | Pull All Username and SIDs
+        ansible.windows.win_shell: Get-CimInstance -Class Win32_UserAccount -Filter "SID LIKE 'S-1-5-%'" | ForEach-Object { $_.Name + " " + $_.SID }
+        changed_when: false
+        failed_when: false
+        register: all_users
+
+      - name: PRELIM | Create Results List Fact For Username And SIDs
+        ansible.builtin.set_fact:
+            username_and_sid_results_list: "{{ all_users.stdout_lines | map('split', ' ') | list }}"
+
+      - name: PRELIM | Load All User Hives From Username And SIDs List
+        ansible.windows.win_shell: REG LOAD HKU\{{ item.1 }} C:\Users\{{ item.0 }}\NTUSER.DAT
+        changed_when: false
+        failed_when: false
+        loop: "{{ username_and_sid_results_list }}"
+
+      - name: PRELIM | Retrieve Current Users SIDs from HKEY_USERS
+        ansible.windows.win_shell: (Get-ChildItem "REGISTRY::HKEY_USERS").name | Where-Object {$_ -notlike "*_classes"}
+        changed_when: false
+        failed_when: false
+        register: current_users_loaded_hku
+
+      - name: PRELIM | Create List Fact For Current Users SIDs from HKEY_USERS
+        ansible.builtin.set_fact:
+            hku_loaded_list: "{{ current_users_loaded_hku.stdout | regex_replace('HKEY_USERS\\\\','') | split }}"
+  when: win19cis_section19
+  tags:
+      - always

tasks/section01.yml

@@ -177,9 +177,7 @@
   ansible.builtin.import_tasks:
       file: section01_cloud_lockout_order.yml
   when:
-      - win19cis_cloud_based_system or
-        win2019cis_is_domain_controller or
-        win2019cis_is_domain_member
+      - win19cis_cloud_based_system
   tags:
       - section01_cloud_lockout_order
 
@@ -254,9 +252,7 @@
             - win19cis_account_lockout_counter_reset <= win19cis_account_lockout_duration
   when:
       - win19cis_rule_1_2_4
-      - not win19cis_cloud_based_system or
-        win2019cis_is_domain_controller or
-        win2019cis_is_domain_member
+      - not win19cis_cloud_based_system
   tags:
       - level1-domaincontroller
       - level1-memberserver
@@ -288,9 +284,7 @@
         when: win19cis_account_lockout_duration >= 15
   when:
       - win19cis_rule_1_2_1
-      - not win19cis_cloud_based_system or
-        win2019cis_is_domain_controller or
-        win2019cis_is_domain_member
+      - not win19cis_cloud_based_system
   tags:
       - level1-domaincontroller
       - level1-memberserver

tasks/section01_cloud_lockout_order.yml

@@ -80,6 +80,7 @@
       value: "{{ win19cis_allow_admin_account_lockout }}"
   when:
       - win19cis_rule_1_2_3
+      - win2019cis_is_domain_member
   tags:
       - level1-memberserver
       - rule_1.2.3