Windows 2019 CIS Versions Save

CIS Baseline Ansible Role for Windows 2019

2.0.0

5 months ago

CIS Version: 2.0.0 CIS Version Release Benchmark v2.0.0 - 04-14-2023

REMOVE - 18.5.4 (L1) Ensure 'Configure DNS over HTTPS (DoH) name resolution' is set to 'Enabled: Allow DoH' or higher

UPDATE - 18.9.89 'Allow Windows Ink Workspace' TO 'Enabled: On, but disallow access above lock' OR 'Enabled: Disabled'

UPDATE - Section changes from Windows 11 Release 22H2 Administrative Templates

UPDATE – 18.10.87 (L1) 'Turn on PowerShell Transcription' is set to 'Disabled' TO 'Enabled'

ADD - 1.2 (L1) Ensure 'Allow Administrator account lockout' is set to 'Enabled'

REMOVE - 2.3.1 (L1) Ensure 'Accounts: Administrator account status' is set to 'Disabled'

ADD - 18.4 (L1) Ensure 'Configure RPC packet level privacy setting for incoming connections' is set to 'Enabled'

MOVE - 18.4 (L1) Ensure 'Limits print driver installation to Administrators' is set to 'Enabled' TO 18.7

ADD - 18.4 (L1) Ensure 'LSA Protection' is set to 'Enabled'

ADD - 18.6.4 (L1) Ensure 'Configure NetBIOS settings' is set to 'Enabled: Disable NetBIOS name resolution on public networks'

ADD - 18.7 (L1) Ensure 'Configure Redirection Guard' is set to 'Enabled: Redirection Guard Enabled'

ADD - 18.7 (L1) Ensure 'Configure RPC connection settings: Protocol to use for outgoing RPC connections' is set to 'Enabled: RPC over TCP'

ADD - 18.7 (L1) Ensure 'Configure RPC connection settings: Use authentication for outgoing RPC connections' is set to 'Enabled: Default'

ADD - 18.7 (L1) Ensure 'Configure RPC listener settings: Protocols to allow for incoming RPC connections' is set to 'Enabled: RPC over TCP'

ADD - 18.7 (L1) Ensure 'Configure RPC listener settings: Authentication protocol to use for incoming RPC connections' is set to 'Enabled: Negotiate' or higher

ADD - 18.7 (L1) Ensure 'Manage processing of Queue- specific files' is set to 'Enabled: Limit Queue-specific files to Color profiles'

ADD - 18.10.17 (L1) Ensure 'Enable App Installer' is set to 'Disabled'

ADD - 18.10.17 (L1) Ensure 'Enable App Installer Experimental Features' is set to 'Disabled'

ADD - 18.10.17 (L1) Ensure 'Enable App Installer Hash Override' is set to 'Disabled'

ADD - 18.10.17 (L1) Ensure 'Enable App Installer ms- appinstaller protocol' is set to 'Disabled'

UPDATE - 18.10.43.6.1 (L1) Ensure 'Configure Attack Surface Reduction rules' with additional ASR rule for "Block abuse of exploited vulnerable signed drivers"

ADD - 18.10.59 (L2) Ensure 'Allow search highlights' is set to 'Disabled'

ADD - 18.7 (L1) Ensure 'Configure RPC over TCP port' is set to 'Enabled: 0'

1.3.0

8 months ago

CIS Version: 1.3.0 CIS Version Release Date: 3-18-2022

Enhancements

  • Issues Closed
    • #31 - Thanks @georgenalen
    • #64 - Thanks @dimi4ik
    • #67 - Thanks @Igor-X
  • Benchmarks 1.2.1 - 1.2.3 Put In Correct Order To Take Into Account System Defaults.
  • Benchmark 1.1.7 - Added
  • Benchmark 2.2.37 - Added Variable To Choose If Exchange Server Installed.
  • Benchmark 2.3.6.5 - Added Variable
  • Benchmark 2.3.7.3 - Added Variable
  • Benchmark 2.3.7.6 - Added Variable
  • Benchmark 2.3.7.7 - Added Variable
  • Benchmark 18.4.9 - Added Variable
  • Benchmark 18.4.12 - Added Variable
  • Benchmark 18.8.3.1 - Old setting was set to disabled, new benchmark calls for enabled. Updated registry value.
  • Benchmark 18.9.12.1 - Calls For Disabled, Updated and Changed Registry Entry To Disable.
  • Benchmark 18.9.17.2 - Calls For Enabled, Updated and Changed Registry Entry To Enable.
  • Benchmark 18.9.27.1.2 - Added Variable
  • Benchmark 18.9.27.2.2 - Added Variable
  • Benchmark 18.9.27.3.2 - Added Variable
  • Benchmark 18.9.27.4.2 - Added Variable
  • Benchmark 18.9.64.1 - Added
  • Benchmark 18.9.65.3.10.1 - Added Variable
  • Benchmark 18.9.65.3.10.2 - Updated the registry entry time to 1 Min per CIS.
  • Benchmark 19.3.3 - Added Variable
  • Benchmark 19.1.3.4 - Removed Not A Valid Control

What's Changed

New Contributors

Full Changelog: https://github.com/ansible-lockdown/Windows-2019-CIS/compare/1.2.0...1.3.0

1.2.0

1 year ago

CIS Version: 1.3.0 CIS Version Release Date: 3-18-2022

Issues Addressed:

  • #36
  • #47
  • #48
  • #51
  • #52
  • #54
  • #59

Enhancements:

  • Updated to CIS benchmark 1.3.0

1.1.1

2 years ago

CIS Version: 1.1.0 01-14-2020

Issue Fixes: #37 - 18.9.59.3.11.1 - Updated level tags #38 - 18.1.2.2 - Implemented control #39 - 18.3.1 - Implemented control #40 - 2.3.1.5/2.3.1.6 - Created variables for values #41 - 2.2.47 - Updated value #42 - 2.2.18 - Added logic for Hyper-V role not being installed

Enhancements: Fixed linting issues to work with Galaxy Implemented 18.1.3 Implemented 18.2.1 Implemented 18.2.2 Implemented 18.2.3 Implemented 18.2.4 Implemented 18.2.5 Implemented 18.2.6 Implemented 18.3.2 Implemented 18.3.5

v1.1.0

3 years ago

CIS Version: 1.1.0 01-14-2020 Issues Addressed: #14 - 18.3.4 - Bad data value #15 - 18.3.6 - Bad data value #16 - 18.5.21.1 - Bad data value #17 - 18.9.77.13.3.1 - Bad regkey name #18 - 18.9.95.1 - Bad data value #19 - 18.9.95.2 - Bad data value #21 - 18.9.26.3.1 - Bad regkey path #23 - 18.9.26.1.1 - Bad data type #24 - 19.7.4.1 - Bad data value #25 - 2.3.6.4 - Bad data value #26 - 2.3.11.4 - Bad data value #27 - 17.5.1 - Bad shell command (fixed success:enable to failure:enable) #28 - 9.1.4/9.2.4/9.3.4 - Bad data value

v1.0.1

3 years ago

CIS Version: 1.1.0 01-14-2020 Issues Addressed:

  • #7 - 18.3.7 Control is missing
  • #8 - Align tags between sections
  • #10 - Wrong user for all users in win_user_right module

Updates:

  • Added missing controls 17.1.2 and 17.1.3
  • Updated README and CONTRIBUTING file

v1.0.0

3 years ago

CIS Version: 1.1.0 01-14-2020