CIS Baseline Ansible Role for Windows 2019
CIS Version: 2.0.0 CIS Version Release Benchmark v2.0.0 - 04-14-2023
REMOVE - 18.5.4 (L1) Ensure 'Configure DNS over HTTPS (DoH) name resolution' is set to 'Enabled: Allow DoH' or higher
UPDATE - 18.9.89 'Allow Windows Ink Workspace' TO 'Enabled: On, but disallow access above lock' OR 'Enabled: Disabled'
UPDATE - Section changes from Windows 11 Release 22H2 Administrative Templates
UPDATE – 18.10.87 (L1) 'Turn on PowerShell Transcription' is set to 'Disabled' TO 'Enabled'
ADD - 1.2 (L1) Ensure 'Allow Administrator account lockout' is set to 'Enabled'
REMOVE - 2.3.1 (L1) Ensure 'Accounts: Administrator account status' is set to 'Disabled'
ADD - 18.4 (L1) Ensure 'Configure RPC packet level privacy setting for incoming connections' is set to 'Enabled'
MOVE - 18.4 (L1) Ensure 'Limits print driver installation to Administrators' is set to 'Enabled' TO 18.7
ADD - 18.4 (L1) Ensure 'LSA Protection' is set to 'Enabled'
ADD - 18.6.4 (L1) Ensure 'Configure NetBIOS settings' is set to 'Enabled: Disable NetBIOS name resolution on public networks'
ADD - 18.7 (L1) Ensure 'Configure Redirection Guard' is set to 'Enabled: Redirection Guard Enabled'
ADD - 18.7 (L1) Ensure 'Configure RPC connection settings: Protocol to use for outgoing RPC connections' is set to 'Enabled: RPC over TCP'
ADD - 18.7 (L1) Ensure 'Configure RPC connection settings: Use authentication for outgoing RPC connections' is set to 'Enabled: Default'
ADD - 18.7 (L1) Ensure 'Configure RPC listener settings: Protocols to allow for incoming RPC connections' is set to 'Enabled: RPC over TCP'
ADD - 18.7 (L1) Ensure 'Configure RPC listener settings: Authentication protocol to use for incoming RPC connections' is set to 'Enabled: Negotiate' or higher
ADD - 18.7 (L1) Ensure 'Manage processing of Queue- specific files' is set to 'Enabled: Limit Queue-specific files to Color profiles'
ADD - 18.10.17 (L1) Ensure 'Enable App Installer' is set to 'Disabled'
ADD - 18.10.17 (L1) Ensure 'Enable App Installer Experimental Features' is set to 'Disabled'
ADD - 18.10.17 (L1) Ensure 'Enable App Installer Hash Override' is set to 'Disabled'
ADD - 18.10.17 (L1) Ensure 'Enable App Installer ms- appinstaller protocol' is set to 'Disabled'
UPDATE - 18.10.43.6.1 (L1) Ensure 'Configure Attack Surface Reduction rules' with additional ASR rule for "Block abuse of exploited vulnerable signed drivers"
ADD - 18.10.59 (L2) Ensure 'Allow search highlights' is set to 'Disabled'
ADD - 18.7 (L1) Ensure 'Configure RPC over TCP port' is set to 'Enabled: 0'
CIS Version: 1.3.0 CIS Version Release Date: 3-18-2022
Full Changelog: https://github.com/ansible-lockdown/Windows-2019-CIS/compare/1.2.0...1.3.0
CIS Version: 1.3.0 CIS Version Release Date: 3-18-2022
Issues Addressed:
Enhancements:
CIS Version: 1.1.0 01-14-2020
Issue Fixes: #37 - 18.9.59.3.11.1 - Updated level tags #38 - 18.1.2.2 - Implemented control #39 - 18.3.1 - Implemented control #40 - 2.3.1.5/2.3.1.6 - Created variables for values #41 - 2.2.47 - Updated value #42 - 2.2.18 - Added logic for Hyper-V role not being installed
Enhancements: Fixed linting issues to work with Galaxy Implemented 18.1.3 Implemented 18.2.1 Implemented 18.2.2 Implemented 18.2.3 Implemented 18.2.4 Implemented 18.2.5 Implemented 18.2.6 Implemented 18.3.2 Implemented 18.3.5
CIS Version: 1.1.0 01-14-2020 Issues Addressed: #14 - 18.3.4 - Bad data value #15 - 18.3.6 - Bad data value #16 - 18.5.21.1 - Bad data value #17 - 18.9.77.13.3.1 - Bad regkey name #18 - 18.9.95.1 - Bad data value #19 - 18.9.95.2 - Bad data value #21 - 18.9.26.3.1 - Bad regkey path #23 - 18.9.26.1.1 - Bad data type #24 - 19.7.4.1 - Bad data value #25 - 2.3.6.4 - Bad data value #26 - 2.3.11.4 - Bad data value #27 - 17.5.1 - Bad shell command (fixed success:enable to failure:enable) #28 - 9.1.4/9.2.4/9.3.4 - Bad data value
CIS Version: 1.1.0 01-14-2020 Issues Addressed:
Updates:
CIS Version: 1.1.0 01-14-2020