From 017cd5de017839c3ff303b1d46bba5b8d6b78a13 Mon Sep 17 00:00:00 2001 From: Stephen Williams Date: Wed, 12 Apr 2023 10:00:02 -0400 Subject: [PATCH] Yamllint Update, Yamllint Check, Ansible-lint Check, Module Names Update Signed-off-by: Stephen Williams --- .yamllint | 29 +- collections/requirements.yml | 2 + defaults/main.yml | 1 - tasks/cat1.yml | 56 ++-- tasks/cat2.yml | 502 +++++++++++++++++------------------ tasks/cat3.yml | 52 ++-- tasks/main.yml | 20 +- tasks/prelim.yml | 7 +- tasks/warning_facts.yml | 2 +- 9 files changed, 338 insertions(+), 333 deletions(-) diff --git a/.yamllint b/.yamllint index c054b57..ec46929 100644 --- a/.yamllint +++ b/.yamllint @@ -1,28 +1,33 @@ --- -# Based on ansible-lint config extends: default +ignore: | + tests/ + molecule/ + .github/ + .gitlab-ci.yml + *molecule.yml + rules: - braces: {max-spaces-inside: 1, level: error} - brackets: {max-spaces-inside: 1, level: error} - colons: {max-spaces-after: -1, level: error} - commas: {max-spaces-after: -1, level: error} - comments: disable - comments-indentation: disable - document-start: disable - empty-lines: {max: 3, level: error} - hyphens: {level: error} indentation: # Requiring 4 space indentation spaces: 4 # Requiring consistent indentation within a file, either indented or not indent-sequences: consistent - key-duplicates: enable + braces: + max-spaces-inside: 1 + level: error + brackets: + max-spaces-inside: 1 + level: error + empty-lines: + max: 1 line-length: disable + key-duplicates: enable new-line-at-end-of-file: enable new-lines: type: unix trailing-spaces: enable truthy: allowed-values: ['true', 'false'] - check-keys: true + check-keys: false diff --git a/collections/requirements.yml b/collections/requirements.yml index 9971cfb..6127164 100644 --- a/collections/requirements.yml +++ b/collections/requirements.yml @@ -2,6 +2,8 @@ collections: + - name: ansible.windows + - name: community.windows - name: community.general diff --git a/defaults/main.yml b/defaults/main.yml index 6462dd0..3c21a68 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -312,7 +312,6 @@ win10stig_web_server: false # Value of true will always reboot after the role has run, value of false will prevent system from rebooting after the role has run. win10stig_always_reboot: true - # Variables related to individual tasks # CAT1 diff --git a/tasks/cat1.yml b/tasks/cat1.yml index 7cd8560..44fec9e 100644 --- a/tasks/cat1.yml +++ b/tasks/cat1.yml @@ -3,7 +3,7 @@ - name: "HIGH | WN10-00-000040 | AUDIT | Systems must be maintained at a supported servicing level." block: - name: "HIGH | WN10-00-000040 | AUDIT | Systems must be maintained at a supported servicing level. | Warning Meassage." - debug: + ansible.builtin.debug: msg: - "Warning!! Your version of Windows 10 does not conform to STIG standards." - "Please update your current version to a supported build or supported LTSC build." @@ -40,7 +40,7 @@ register: win10_00_000045_av_sftw_status - name: "HIGH | WN10-00-000045 | AUDIT | The Windows 10 system must use an anti-virus program | Alert on service not running." - debug: + ansible.builtin.debug: msg: - "Warning!! You do not have any AV software running" - "Please enable defender or a 3rd party AV software like McAfee or Symantec" @@ -68,11 +68,11 @@ - name: "HIGH | WN10-00-000050 | AUDIT | Local volumes must be formatted using NTFS" block: - name: "HIGH | WN10-00-000050 | AUDIT | Local volumes must be formatted using NTFS | Set file system type variable" - set_fact: + ansible.builtin.set_fact: win10_00_000050_c_volume_info: "{{ ansible_facts.disks[0].partitions | json_query('[?drive_letter == `C`] | [0].volumes') | json_query('[?type == `NTFS`] | [0].type') }}" - name: "HIGH | WN10-00-000050 | AUDIT | Local volumes must be formatted using NTFS | Alert on non-NTFS File System" - debug: + ansible.builtin.debug: msg: - "Warning!! You do not have an NTFS file system. Please format the C:\ to NTFS" when: win10_00_000050_c_volume_info != "NTFS" @@ -95,7 +95,7 @@ - name: "HIGH | WN10-00-000070 | AUDIT | Only accounts responsible for the administration of a system must have Administrator rights on the system." block: - name: "HIGH | WN10-00-000070 | AUDIT | Only accounts responsible for the administration of a system must have Administrator rights on the system. | Show Accounts." - debug: + ansible.builtin.debug: msg: - "The following users or groups have Administrator rights on this system." - "Please make sure that these users or groups meet the sites policies to be STIG compliant." @@ -116,7 +116,7 @@ - V-220712 - name: "HIGH | WN10-00-000100 | PATCH | Internet Information System (IIS) or its subcomponents must not be installed on a workstation." - win_optional_feature: + ansible.windows.win_optional_feature: name: "{{ item }}" state: absent with_items: @@ -136,13 +136,13 @@ - name: "HIGH | WN10-00-000145 | PATCH | Data Execution Prevention (DEP) must be configured to at least OptOut." block: - name: "HIGH | WN10-00-000145 | AUDIT | Data Execution Prevention (DEP) must be configured to at least OptOut. | Status check for idempotency." - win_shell: BCDEdit /enum "{current}" + ansible.windows.win_shell: BCDEdit /enum "{current}" register: win10_00_000145_dep_setting_search changed_when: false failed_when: false - name: "HIGH | WN10-00-000145 | PATCH | Data Execution Prevention (DEP) must be configured to at least OptOut. | Make change to match {{ wnstig_dep_value }}." - win_shell: BCDEdit /set "{current}" nx {{ wn10stig_dep_value }} + ansible.windows.win_shell: BCDEdit /set "{current}" nx {{ wn10stig_dep_value }} when: "wn10stig_dep_value not in win10_00_000145_dep_setting_search.stdout | regex_search('nx\\s.*') | trim | regex_replace('nx','') | trim" when: - wn10_00_000145 @@ -155,7 +155,7 @@ - V-220726 - name: "HIGH | WN10-00-000150 | PATCH | Structured Exception Handling Overwrite Protection (SEHOP) must be enabled." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel value: DisableExceptionChainValidation state: present @@ -174,7 +174,7 @@ - name: "HIGH | WN10-00-000240 | AUDIT | Administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email." block: - name: "HIGH | WN10-00-000240 | AUDIT | Administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email. | Show Accounts Warning." - debug: + ansible.builtin.debug: msg: - "The following users or groups have Administrator rights on this system" - "You will need to confirm that none of these accounts have access to the internet, such as web browsers, or with potential Internet soruces, such as email" @@ -196,7 +196,7 @@ # Use of this flag is not recommended per Microsofts documentation. https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gpsb/0b40db09-d95d-40a6-8467-32aedec8140c - name: "HIGH | WN10-AC-000045 | PATCH | Reversible password encryption must be disabled." - win_security_policy: + community.windows.win_security_policy: section: System Access key: ClearTextPassword value: "0" @@ -211,7 +211,7 @@ - V-220747 - name: "HIGH | WN10-CC-000075 | PATCH | Credential Guard must be running on Windows 10 domain-joined systems." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard value: "{{ item }}" state: present @@ -234,7 +234,7 @@ - V-220812 - name: "HIGH | WN10-CC-000155 | PATCH | Solicited Remote Assistance must not be allowed." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services value: fAllowToGetHelp state: present @@ -251,7 +251,7 @@ - V-220823 - name: "HIGH | WN10-CC-000180 | PATCH | Autoplay must be turned off for non-volume devices" - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer value: NoAutoplayfornonVolume state: present @@ -268,7 +268,7 @@ - V-220827 - name: "HIGH | WN10-CC-000185 | PATCH | The default autorun behavior must be configured to prevent autorun commands." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer value: NoAutorun state: present @@ -285,7 +285,7 @@ - V-220828 - name: "HIGH | WN10-CC-000190 | PATCH | Autoplay must be disabled for all drives." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer value: NoDriveTypeAutoRun state: present @@ -302,7 +302,7 @@ - V-220829 - name: "HIGH | WN10-CC-000315 | PATCH | The Windows Installer Always install with elevated privileges must be disabled." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer value: AlwaysInstallElevated state: present @@ -319,7 +319,7 @@ - V-220857 - name: "HIGH | WN10-CC-000330 | PATCH | The Windows Remote Management (WinRM) client must not use Basic authentication." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client value: AllowBasic state: present @@ -336,7 +336,7 @@ - V-220862 - name: "HIGH | WN10-CC-000345 | PATCH | The Windows Remote Management (WinRM) service must not use Basic authentication." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service value: AllowBasic state: present @@ -353,7 +353,7 @@ - V-220865 - name: "HIGH | WN10-SO-000140 | PATCH | Anonymous SID/Name translation must not be allowed." - win_security_policy: + community.windows.win_security_policy: section: System Access key: LSAAnonymousNameLookup value: 0 @@ -368,7 +368,7 @@ - V-220928 - name: "HIGH | WN10-SO-000145 | PATCH | Anonymous enumeration of SAM accounts must not be allowed." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa value: RestrictAnonymousSAM state: present @@ -385,7 +385,7 @@ - V-220929 - name: "HIGH | WN10-SO-000150 | PATCH | Anonymous enumeration of shares must be restricted." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa value: RestrictAnonymous state: present @@ -402,7 +402,7 @@ - V-220930 - name: "HIGH | WN10-SO-000165 | PATCH | Anonymous access to Named Pipes and Shares must be restricted." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters value: RestrictNullSessAccess state: present @@ -419,7 +419,7 @@ - V-220932 - name: "HIGH | WN10-SO-000195 | PATCH | The system must be configured to prevent the storage of the LAN Manager hash of passwords." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa value: NoLMHash state: present @@ -436,7 +436,7 @@ - V-220937 - name: "HIGH | WN10-SO-000205 | PATCH | The LanMan authentication level must be set to send NTLMv2 response only, and to refuse LM and NTLM." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa value: LmCompatibilityLevel state: present @@ -453,7 +453,7 @@ - V-220938 - name: "HIGH | WN10-UR-000015 | PATCH | The Act as part of the operating system user right must not be assigned to any groups or accounts." - win_user_right: + ansible.windows.win_user_right: name: SeTcbPrivilege users: [] action: set @@ -468,7 +468,7 @@ - V-220958 - name: "HIGH | WN10-UR-000045 | PATCH | The Create a token object user right must not be assigned to any groups or accounts." - win_user_right: + ansible.windows.win_user_right: name: SeCreateTokenPrivilege users: [] when: @@ -482,7 +482,7 @@ - V-220963 - name: "HIGH | WN10-UR-000065 | PATCH | The Debug programs user right must only be assigned to the Administrators group." - win_user_right: + ansible.windows.win_user_right: name: SeDebugPrivilege users: Administrators action: set diff --git a/tasks/cat2.yml b/tasks/cat2.yml index de90b65..dc89b70 100644 --- a/tasks/cat2.yml +++ b/tasks/cat2.yml @@ -3,7 +3,7 @@ - name: "MEDIUM | WN10-00-000005 | AUDIT | Domain-joined systems must use Windows 10 Enterprise Edition 64-bit version." block: - name: "MEDIUM | WN10-00-000005 | AUDIT | Domain-joined systems must use Windows 10 Enterprise Edition 64-bit version. | Warning." - debug: + ansible.builtin.debug: msg: - "Warning!! You need to be on a 64-bit operating system when joined to a domain" - "This is a requirement for STIG compliance" @@ -27,20 +27,20 @@ - name: "MEDIUM | WN10-00-000010 | AUDIT | Windows 10 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use." block: - name: "MEDIUM | WN10-00-000010 | AUDIT | Windows 10 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use. | Get TPM status." - win_command: wmic /namespace:\\root\cimv2\security\microsofttpm path win32_tpm get * /format:textvaluelist.xsl + ansible.windows.win_command: wmic /namespace:\\root\cimv2\security\microsofttpm path win32_tpm get * /format:textvaluelist.xsl changed_when: false failed_when: false register: wn10_00_000010_tpm_status - name: "MEDIUM | WN10-00-000010 | AUDIT | Windows 10 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use. | Running Instances Check." - debug: + ansible.builtin.debug: msg: - "Warning!! Please confirm TPM status is Ready for use, there are no instances currently running." when: - "'No Instance' in wn10_00_000010_tpm_status.stderr_lines | string" - name: "MEDIUM | WN10-00-000010 | AUDIT | Windows 10 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use. | Full TPM Check." - debug: + ansible.builtin.debug: msg: - "Warning!! Please confirm TPM status is Ready for use. Current settings do not meet STIG requirements." when: @@ -75,13 +75,13 @@ - name: "MEDIUM | WN10-00-000015 | AUDIT | Windows 10 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS." block: - name: "MEDIUM | WN10-00-000015 | AUDIT | Windows 10 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS | Check For UEFI Status." - win_shell: $env:firmware_type + ansible.windows.win_shell: $env:firmware_type changed_when: false failed_when: false register: wn10_00_000015_system_firmware_check - name: "MEDIUM | WN10-00-000015 | AUDIT | Windows 10 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS | Legacy BIOS Error." - debug: + ansible.builtin.debug: msg: - "Warning!! Your system firmware is configured to run in Legacy BIOS." - "UEFI is the requirement for STIG to be in compliance." @@ -107,7 +107,7 @@ - name: "MEDIUM | WN10-00-000025 | AUDIT | Windows 10 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where HBSS is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP)" block: - name: "MEDIUM | WN10-00-000025 | AUDIT | Windows 10 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where HBSS is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP) | Warning." - debug: + ansible.builtin.debug: msg: - "Warning!! Please install DoD-approved ESS software and ensure it is operating continuously" - "Ask site ISSM for documentation fo the ESS software installation and configuration" @@ -129,13 +129,13 @@ - name: "MEDIUM | WN10-00-000030 | AUDIT | Windows 10 information systems must use BitLocker to encrypt all disks to protect the confidentiality and integrity of all information at rest." block: - name: "MEDIUM | WN10-00-000030 | AUDIT | Windows 10 information systems must use BitLocker to encrypt all disks to protect the confidentiality and integrity of all information at rest." - win_shell: get-bitlockervolume -MountPoint "C:" | select ProtectionStatus | format-list + ansible.windows.win_shell: get-bitlockervolume -MountPoint "C:" | select ProtectionStatus | format-list changed_when: false failed_when: false register: wn10_00_000030_bitlocker_status - name: "MEDIUM | WN10-00-000030 | AUDIT | Windows 10 information systems must use BitLocker to encrypt all disks to protect the confidentiality and integrity of all information at rest." - debug: + ansible.builtin.debug: msg: - "Warning!! BitLocker is not enabled for the C:\ drive" - "Please enable BitLocker for at least the OS drive to conform to STIG Standards" @@ -161,7 +161,7 @@ - name: "MEDIUM | WN10-00-000031 | PATCH | Windows 10 systems must use a BitLocker PIN for pre-boot authentication." block: - name: "MEDIUM | WN10-00-000031 | PATCH | Windows 10 systems must use a BitLocker PIN for pre-boot authentication. | Set Advanced Startup value" - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\FVE value: UseAdvancedStartup state: present @@ -169,7 +169,7 @@ type: dword - name: "MEDIUM | WN10-00-000031 | PATCH | Windows 10 systems must use a BitLocker PIN for pre-boot authentication. | Set BitLocker Pin settings" - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\FVE value: "{{ win10stig_bitlocker_pin_type }}" state: present @@ -190,7 +190,7 @@ - V-220703 - name: "MEDIUM | WN10-00-000032 | PATCH | Windows 10 systems must use a BitLocker PIN with a minimum length of 6 digits for pre-boot authentication." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\FVE value: MinimumPIN state: present @@ -211,7 +211,7 @@ - name: "MEDIUM | WN10-00-000035 | AUDIT | The operating system must employ a deny-all, permit-by-exception wn10_AU_000085to allow the execution of authorized software programs." block: - name: "MEDIUM | WN10-00-000035 | AUDIT | The operating system must employ a deny-all, permit-by-exception wn10_AU_000085to allow the execution of authorized software programs. | Applocker XML Out." - win_shell: Get-AppLockerPolicy -Effective -XML > {{ win10stig_applocker_xml_output }} + ansible.windows.win_shell: Get-AppLockerPolicy -Effective -XML > {{ win10stig_applocker_xml_output }} changed_when: false failed_when: false when: @@ -219,7 +219,7 @@ - win10stig_applocker_output == 1 - name: "MEDIUM | WN10-00-000035 | AUDIT | The operating system must employ a deny-all, permit-by-exception wn10_AU_000085to allow the execution of authorized software programs. | Check XML File Warning." - debug: + ansible.builtin.debug: msg: - "Warning!! Please review the configuration of Applocker using the XML file located in directory" - "{{ win10stig_applocker_xml_output }} to confirm you have a deny-all policy in place that utilizes" @@ -230,7 +230,7 @@ - win10stig_applocker_output == 1 - name: "MEDIUM | WN10-00-000035 | AUDIT | The operating system must employ a deny-all, permit-by-exception wn10_AU_000085to allow the execution of authorized software programs. | Check For Applocker To Stdout." - win_shell: Get-AppLockerPolicy -Effective -XML + ansible.windows.win_shell: Get-AppLockerPolicy -Effective -XML changed_when: false failed_when: false register: win10stig_applocker_output @@ -239,7 +239,7 @@ - win10stig_applocker_output != 1 - name: "MEDIUM | WN10-00-000035 | AUDIT | The operating system must employ a deny-all, permit-by-exception wn10_AU_000085to allow the execution of authorized software programs. | Check Stdout Print Out." - debug: + ansible.builtin.debug: msg: - "Warning!! Please review the configuration of Applocker to confirm you have a deny-all policy in place that utilizes" - "a whitelist for applications. There is an AppLocker white paper from NSA that can be used as a guide" @@ -250,7 +250,7 @@ - win10stig_applocker_output != 1 - name: "MEDIUM | WN10-00-000035 | AUDIT | The operating system must employ a deny-all, permit-by-exception wn10_AU_000085to allow the execution of authorized software programs. | Warning Message When No Applocker." - debug: + ansible.builtin.debug: msg: - "Warning!! Applocker is not in use. Please confirm you have a deny-all policy in place that utilizes a whitelist for applications." - "This can be done through a utility like AppLocker to limit applications only to authorized applications" @@ -281,7 +281,7 @@ - name: "MEDIUM | WN10-00-000055 | AUDIT | Alternate operating systems must not be permitted on the same system." block: - name: "MEDIUM | WN10-00-000055 | AUDIT | Alternate operating systems must not be permitted on the same system. | Warning." - debug: + ansible.builtin.debug: msg: "Warning!! Please confirm that no other alternative operating systems exist on this system." - name: "MEDIUM | WN10-00-000055 | AUDIT | Alternate operating systems must not be permitted on the same system. | Warn Count." @@ -307,7 +307,7 @@ register: wn10_00_000060_share_names - name: "MEDIUM | WN10-00-000060 | AUDIT | Non system-created file shares on a system must limit access to groups that require it. | Alert Share Names" - debug: + ansible.builtin.debug: msg: - "Warning!! You have shares that non-system created. Please manually review those shares listed below to make sure appropriate permissions are applied" - "{{ wn10_00_000060_share_names.stdout_lines | select() | list }}" @@ -331,13 +331,13 @@ - name: "MEDIUM | WN10-00-000075 | AUDIT | Only accounts responsible for the backup operations must be members of the Backup Operators group." block: - name: "MEDIUM | WN10-00-000075 | AUDIT | Only accounts responsible for the backup operations must be members of the Backup Operators group. | Get Backup Operator users" - win_shell: get-localgroupmember -Name "Backup Operators" | Select-Object -Property Name | Format-Table -hidetableheaders + ansible.windows.win_shell: get-localgroupmember -Name "Backup Operators" | Select-Object -Property Name | Format-Table -hidetableheaders changed_when: false failed_when: false register: wn10_00_000075_bo_members - name: "MEDIUM | WN10-00-000075 | AUDIT | Only accounts responsible for the backup operations must be members of the Backup Operators group. | Display Backup Operator users" - debug: + ansible.builtin.debug: msg: - "Warning!! Below are the users in the Backup Operators group. Please review accounts are appropriate." - "{{ wn10_00_000075_bo_members.stdout_lines | select() | list }}" @@ -361,13 +361,13 @@ - name: "MEDIUM | WN10-00-000080 | AUDIT | Only authorized user accounts must be allowed to create or run virtual machines on Windows 10 systems." block: - name: "MEDIUM | WN10-00-000080 | AUDIT | Only authorized user accounts must be allowed to create or run virtual machines on Windows 10 systems. | Get Hyper-V group users" - win_shell: get-localgroupmember -Name "Hyper-V Administrators" | Select-Object -Property Name | Format-Table -hidetableheaders + ansible.windows.win_shell: get-localgroupmember -Name "Hyper-V Administrators" | Select-Object -Property Name | Format-Table -hidetableheaders changed_when: false failed_when: false register: wn10_00_000080_hyperv_members - name: "MEDIUM | WN10-00-000080 | AUDIT | Only authorized user accounts must be allowed to create or run virtual machines on Windows 10 systems. | Display Hyper-V group users" - debug: + ansible.builtin.debug: msg: - "Warning!! Below are the users in the Hyper-V Administrators group, please remove any unnecessary accounts" - "{{ wn10_00_000080_hyperv_members.stdout_lines | select() | list }}" @@ -391,13 +391,13 @@ - name: "MEDIUM | WN10-00-000090 | PATCH | Accounts must be configured to require password expiration." block: - name: "MEDIUM | WN10-00-000090 | AUDIT | Accounts must be configured to require password expiration. | Get list of PW Never Expire users" - win_shell: get-localuser | select Name, Enabled, PasswordExpires | Where-Object -Property Enabled -eq True | Where { $_.PasswordExpires -eq $null } | Select-Object -Property Name | Format-Table -hidetableheaders + ansible.windows.win_shell: get-localuser | select Name, Enabled, PasswordExpires | Where-Object -Property Enabled -eq True | Where { $_.PasswordExpires -eq $null } | Select-Object -Property Name | Format-Table -hidetableheaders changed_when: false failed_when: false register: wn10_00_000090_neverexpire_passwords - name: "MEDIUM | WN10-00-000090 | AUDIT | Accounts must be configured to require password expiration. | Display list of PW Never Expire users" - debug: + ansible.builtin.debug: msg: - "Warning!! You have some accounts that are set to never expire. Please review the below accounts and set an expiration" - "{{ wn10_00_000090_neverexpire_passwords.stdout_lines | select() | list }}" @@ -406,7 +406,7 @@ - not win10stig_disruption_high - name: "MEDIUM | WN10-00-000090 | PATCH | Accounts must be configured to require password expiration. | Set PW to Expire for PW Never Expire users" - win_user: + ansible.windows.win_user: name: "{{ item }}" password_never_expires: false with_items: @@ -435,13 +435,13 @@ - name: "MEDIUM | WN10-00-000105 | PATCH | Simple Network Management Protocol (SNMP) must not be installed on the system." block: - name: "MEDIUM | WN10-00-000105 | AUDIT | Simple Network Management Protocol (SNMP) must not be installed on the system. | Get SNMP State" - win_shell: Get-WindowsCapability -Online -Name "SNMP*" | Select-Object -Property State | Format-Table -hidetableheaders + ansible.windows.win_shell: Get-WindowsCapability -Online -Name "SNMP*" | Select-Object -Property State | Format-Table -hidetableheaders changed_when: false failed_when: false register: wn10_00_000105_snmp_state - name: "MEDIUM | WN10-00-000105 | PATCH | Simple Network Management Protocol (SNMP) must not be installed on the system. | Remove SNMP" - win_shell: remove-WindowsCapability -Online -Name "SNMP.Client~~~~0.0.1.0" + ansible.windows.win_shell: remove-WindowsCapability -Online -Name "SNMP.Client~~~~0.0.1.0" notify: reboot windows when: "'Installed' in wn10_00_000105_snmp_state.stdout" when: @@ -455,7 +455,7 @@ - V-220719 - name: "MEDIUM | WN10-00-000110 | PATCH | Simple TCP/IP Services must not be installed on the system." - win_optional_feature: + ansible.windows.win_optional_feature: name: SimpleTCP state: absent when: @@ -469,7 +469,7 @@ - V-220720 - name: "MEDIUM | WN10-00-000115 | PATCH | The Telnet Client must not be installed on the system." - win_optional_feature: + ansible.windows.win_optional_feature: name: TelnetClient state: absent when: @@ -483,7 +483,7 @@ - V-220721 - name: "MEDIUM | WN10-00-000120 | PATCH | The TFTP Client must not be installed on the system." - win_optional_feature: + ansible.windows.win_optional_feature: name: TFTP state: absent when: @@ -499,12 +499,12 @@ - name: "MEDIUM | WN10-00-000130 | PATCH | Software certificate installation files must be removed from Windows 10." block: - name: "MEDIUM | WN10-00-000130 | AUDIT | Software certificate installation files must be removed from Windows 10. | Get Drive Letters" - win_shell: Get-Volume | ?{ $_.DriveType -eq 'Fixed' } | Select-Object -ExpandProperty 'DriveLetter' + ansible.windows.win_shell: Get-Volume | ?{ $_.DriveType -eq 'Fixed' } | Select-Object -ExpandProperty 'DriveLetter' changed_when: false register: wn10_00_000130_drive_letters - name: "MEDIUM | WN10-00-000130 | AUDIT | Software certificate installation files must be removed from Windows 10. | Search for files" - win_find: + ansible.windows.win_find: paths: '{{ item }}:\' recurse: true patterns: ['*.p12', '*.pfx'] @@ -513,7 +513,7 @@ - "{{ wn10_00_000130_drive_letters.stdout_lines }}" - name: "MEDIUM | WN10-00-000130 | PATCH | Software certificate installation files must be removed from Windows 10. | Remove Files" - win_file: + ansible.windows.win_file: path: "{{ item.path }}" state: absent with_items: @@ -523,7 +523,7 @@ when: win10stig_disruption_high - name: "MEDIUM | WN10-00-000130 | AUDIT | Software certificate installation files must be removed from Windows 10. | Alert on files if not Disruptive High" - debug: + ansible.builtin.debug: msg: - "Warning!! You have .p12 and/or .pfx files on your system" - "Please review and remove the following files" @@ -549,14 +549,14 @@ - name: "MEDIUM | WN10-00-000135 | AUDIT | A host-based firewall must be installed and enabled on the system." block: - name: "MEDIUM | WN10-00-000135 | AUDIT | A host-based firewall must be installed and enabled on the system. | Get Defender Firewall status" - win_shell: get-netfirewallprofile -all | Where-Object -Property Enabled -eq True | Select-Object -Property Name | Format-Table -hidetableheaders + ansible.windows.win_shell: get-netfirewallprofile -all | Where-Object -Property Enabled -eq True | Select-Object -Property Name | Format-Table -hidetableheaders changed_when: false failed_when: false register: wn10_00_000135_defender_fw_status when: win10stig_firewall_type == "defender" - name: "MEDIUM | WN10-00-000135 | AUDIT | A host-based firewall must be installed and enabled on the system. | Warn on Defender Firewall enabled" - debug: + ansible.builtin.debug: msg: - "Warning!! You are using defender and 1 or more profiles are enabled" - "Please confirm the firewall profiles match the Firewall STIG" @@ -566,7 +566,7 @@ - win10stig_firewall_type == "defender" - name: "MEDIUM | WN10-00-000135 | AUDIT | A host-based firewall must be installed and enabled on the system. | Alert on Defender Firewall disabled" - debug: + ansible.builtin.debug: msg: - "Warning!! You are using Windows Defender as your firewall and it is fully disabled" - "Please enable the firewall using a Firewall profile provided by STIG" @@ -576,7 +576,7 @@ - win10stig_firewall_type == "defender" - name: "MEDIUM | WN10-00-000135 | AUDIT | A host-based firewall must be installed and enabled on the system. | Warn on 3rd party firewall" - debug: + ansible.builtin.debug: msg: - "Warning!! You are not using Windows Defender as your firewall." - "Please review the required profiles/settings for that firewall to confirm it aligns with STIG standards." @@ -599,7 +599,7 @@ - name: "MEDIUM | WN10-00-000140 | AUDIT | Inbound exceptions to the firewall on Windows 10 domain workstations must only allow authorized remote management hosts." block: - name: "MEDIUM | WN10-00-000140 | AUDIT | Inbound exceptions to the firewall on Windows 10 domain workstations must only allow authorized remote management hosts. | Alert if automation managed not enabled" - debug: + ansible.builtin.debug: msg: - "Warning!! You are using Windows Defender as your firewall on this host. Please confirm Inbound Rules only allow authorized inbound traffic" when: @@ -627,7 +627,7 @@ - notimplemented - name: "MEDIUM | WN10-00-000155 | PATCH | The Windows PowerShell 2.0 feature must be disabled on the system." - win_optional_feature: + ansible.windows.win_optional_feature: name: MicrosoftWindowsPowerShellV2Root state: absent when: @@ -641,7 +641,7 @@ - V-220728 - name: "MEDIUM | WN10-00-000160 | PATCH | The Server Message Block (SMB) v1 protocol must be disabled on the system." - win_optional_feature: + ansible.windows.win_optional_feature: name: SMB1Protocol state: absent when: @@ -655,7 +655,7 @@ - V-220729 - name: "MEDIUM | WN10-00-000165 | PATCH | The Server Message Block (SMB) v1 protocol must be disabled on the SMB server." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters value: SMB1 state: present @@ -672,7 +672,7 @@ - V-220730 - name: "MEDIUM | WN10-00-000170 | PATCH | The Server Message Block (SMB) v1 protocol must be disabled on the SMB client." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\mrxsmb10 value: Start state: present @@ -692,7 +692,7 @@ # This service can't be stopped manually (through automation or manually through Services) # You need to disable then reboot Windows for the service to be stopped - name: "MEDIUM | WN10-00-000175 | PATCH | The Secondary Logon service must be disabled on Windows 10." - win_service: + ansible.windows.win_service: name: seclogon start_mode: disabled notify: reboot windows @@ -709,13 +709,13 @@ - name: "MEDIUM | WN10-00-000190 | AUDIT | Orphaned security identifiers (SIDs) must be removed from user rights on Windows 10." block: - name: "MEDIUM | WN10-00-000190 | AUDIT | Orphaned security identifiers (SIDs) must be removed from user rights on Windows 10. | Check For Orphaned User Accounts." - win_shell: Get-WmiObject -Class win32_useraccount | Where-Object {$_.SID -match "*S"} | Select name,sid,domain + ansible.windows.win_shell: Get-WmiObject -Class win32_useraccount | Where-Object {$_.SID -match "*S"} | Select name,sid,domain changed_when: false failed_when: false register: wn10_00_000190_orphaned_user_accounts - name: "MEDIUM | WN10-00-000190 | AUDIT | Orphaned security identifiers (SIDs) must be removed from user rights on Windows 10. | Audit For User Accounts Found." - debug: + ansible.builtin.debug: msg: - "Warning!! Please review the User Rights listed for each of any unresolved SID to determine whether they are valid." - "User Accounts" @@ -725,13 +725,13 @@ - wn10_00_000190_orphaned_user_accounts.stdout_lines | select() | length > 0 - name: "MEDIUM | WN10-00-000190 | AUDIT | Orphaned security identifiers (SIDs) must be removed from user rights on Windows 10. | Check For Orphaned Group Accounts." - win_shell: Get-WmiObject -Class win32_group | Where-Object {$_.SID -match "*S"} | Select name,sid,domain + ansible.windows.win_shell: Get-WmiObject -Class win32_group | Where-Object {$_.SID -match "*S"} | Select name,sid,domain changed_when: false failed_when: false register: wn10_00_000190_orphaned_group_accounts - name: "MEDIUM | WN10-00-000190 | AUDIT | Orphaned security identifiers (SIDs) must be removed from user rights on Windows 10. | Audit For Group Accounts Found." - debug: + ansible.builtin.debug: msg: - "Warning!! Please review the User Rights listed for each of any unresolved SID to determine whether they are valid." - "Group Accounts" @@ -760,7 +760,7 @@ - name: "MEDIUM | WN10-00-000210 | PATCH | Bluetooth must be turned off unless approved by the organization." block: - name: "MEDIUM | WN10-00-000210 | PATCH | Bluetooth must be turned off unless approved by the organization. | Disable BT in the registry" - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\ActionCenter\QuickActions\All\SystemSettings_Device_BluetoothQuickAction value: Type state: present @@ -769,7 +769,7 @@ notify: reboot windows - name: "MEDIUM | WN10-00-000210 | PATCH | Bluetooth must be turned off unless approved by the organization. | Disable BT service" - win_service: + ansible.windows.win_service: name: bthserv state: stopped start_mode: disabled @@ -786,7 +786,7 @@ - name: "MEDIUM | WN10-00-000220 | PATCH | Bluetooth must be turned off when not in use." block: - name: "MEDIUM | WN10-00-000220 | PATCH | Bluetooth must be turned off when not in use. | Disable BT in the registry" - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\ActionCenter\QuickActions\All\SystemSettings_Device_BluetoothQuickAction value: Type state: present @@ -795,7 +795,7 @@ notify: reboot windows - name: "MEDIUM | WN10-00-000220 | PATCH | Bluetooth must be turned off when not in use. | Disable BT service" - win_service: + ansible.windows.win_service: name: bthserv state: stopped start_mode: disabled @@ -810,7 +810,7 @@ - V-220735 - name: "MEDIUM | WN10-00-000230 | PATCH | The system must notify the user when a Bluetooth device attempts to connect." - win_regedit: + ansible.windows.win_regedit: path: HKCU:\Software\Microsoft\BluetoothAuthenticationAgent value: AcceptIncomingRequests state: present @@ -827,7 +827,7 @@ - V-220736 - name: "MEDIUM | WN10-00-000250 | AUDIT | Windows 10 non-persistent VM sessions should not exceed 24 hours." - debug: + ansible.builtin.debug: msg: "Warning!! Please investigate VDI settings to make sure they are non-persistent and do not exceed 24 hours." when: - wn10_00_000250 @@ -841,7 +841,7 @@ # Needs to go before WN10-AC-000005 since the Lockout Duration could be disabled if the Lockout Policy is set to 0 causing the task to fail - name: "MEDIUM | WN10-AC-000010 | PATCH | The number of allowed bad logon attempts must be configured to 3 or less." - win_security_policy: + community.windows.win_security_policy: section: System Access key: LockoutBadCount value: "{{ win10stig_account_settings.lockoutbadcount }}" @@ -858,7 +858,7 @@ # Putting this before WN10-AC-000005 ensures the value being set conforms to the needed standard for account settings # The Lockout Duration must be greater or equal to the Reset Account Lockout counter. - name: "MEDIUM | WN10-AC-000015 | PATCH | The period of time before the bad logon counter is reset must be configured to 15 minutes." - win_security_policy: + community.windows.win_security_policy: section: System Access key: ResetLockoutCount value: "{{ win10stig_account_settings.resetlockoutcount }}" @@ -874,7 +874,7 @@ - V-220741 - name: "MEDIUM | WN10-AC-000005 | PATCH | Windows 10 account lockout duration must be configured to 15 minutes or greater." - win_security_policy: + community.windows.win_security_policy: section: System Access key: LockoutDuration value: "{{ win10stig_account_settings.lockoutduration }}" @@ -889,7 +889,7 @@ - V-220739 - name: "MEDIUM | WN10-AC-000020 | PATCH | The password history must be configured to 24 passwords remembered." - win_security_policy: + community.windows.win_security_policy: section: System Access key: PasswordHistorySize value: "{{ win10stig_account_settings.passwordhistory }}" @@ -904,7 +904,7 @@ - V-220742 - name: "MEDIUM | WN10-AC-000025 | PATCH | The maximum password age must be configured to 60 days or less." - win_security_policy: + community.windows.win_security_policy: section: System Access key: MaximumPasswordAge value: "{{ win10stig_account_settings.max_pass_age }}" @@ -919,7 +919,7 @@ - V-220743 - name: "MEDIUM | WN10-AC-000030 | PATCH | The minimum password age must be configured to at least 1 day." - win_security_policy: + community.windows.win_security_policy: section: System Access key: MinimumPasswordAge value: "{{ win10stig_account_settings.min_pass_age }}" @@ -934,7 +934,7 @@ - V-220744 - name: "MEDIUM | WN10-AC-000035 | PATCH | Passwords must, at a minimum, be 14 characters." - win_security_policy: + community.windows.win_security_policy: section: System Access key: MinimumPasswordLength value: "{{ win10stig_account_settings.min_pass_length }}" @@ -949,7 +949,7 @@ - V-220745 - name: "MEDIUM | WN10-AC-000040 | PATCH | The built-in Microsoft password complexity filter must be enabled." - win_security_policy: + community.windows.win_security_policy: section: System Access key: PasswordComplexity value: 1 @@ -969,7 +969,7 @@ - name: | "MEDIUM | WN10-AU-000005 | PATCH | The system must be configured to audit Account Logon - Credential Validation failures." "MEDIUM | WN10-AU-000010 | PATCH | The system must be configured to audit Account Logon - Credential Validation successes." - win_audit_policy_system: + community.windows.win_audit_policy_system: subcategory: Credential Validation audit_type: "{{ (wn10_AU_000005 and not wn10_AU_000010) | ternary ('failure', '') }}{{ (wn10_AU_000010 and not wn10_AU_000005) | ternary ('success', '') }}{{ (wn10_AU_000005 and wn10_AU_000010) | ternary ('success, failure', '') }}" when: @@ -987,7 +987,7 @@ - V-220749 - name: "MEDIUM | WN10-AU-000030 | PATCH | The system must be configured to audit Account Management - Security Group Management successes." - win_audit_policy_system: + community.windows.win_audit_policy_system: subcategory: Security Group Management audit_type: "{{ win10stig_audit_settings.security_group_mngmnt_include_failure | ternary ('success, failure', 'success' ) }}" when: @@ -1009,7 +1009,7 @@ - name: | "MEDIUM | WN10-AU-000035 | PATCH | The system must be configured to audit Account Management - User Account Management failures." "MEDIUM | WN10-AU-000040 | PATCH | The system must be configured to audit Account Management - User Account Management successes." - win_audit_policy_system: + community.windows.win_audit_policy_system: subcategory: User Account Management audit_type: "{{ (wn10_AU_000035 and not wn10_AU_000040) | ternary ('failure', '') }}{{ (wn10_AU_000040 and not wn10_AU_000035) | ternary ('success', '') }}{{ (wn10_AU_000035 and wn10_AU_000040) | ternary ('success, failure', '') }}" when: @@ -1033,7 +1033,7 @@ - V-220752 - name: "MEDIUM | WN10-AU-000045 | PATCH | The system must be configured to audit Detailed Tracking - PNP Activity successes." - win_audit_policy_system: + community.windows.win_audit_policy_system: subcategory: Plug and Play Events audit_type: "{{ win10stig_audit_settings.pnp_activity_include_failure | ternary ('success, failure', 'success' ) }}" when: @@ -1048,7 +1048,7 @@ - V-220753 - name: "MEDIUM | WN10-AU-000050 | PATCH | The system must be configured to audit Detailed Tracking - Process Creation successes." - win_audit_policy_system: + community.windows.win_audit_policy_system: subcategory: Process Creation audit_type: "{{ win10stig_audit_settings.process_creation_include_failure | ternary ('success, failure', 'success' ) }}" when: @@ -1063,7 +1063,7 @@ - V-220754 - name: "MEDIUM | WN10-AU-000054 | PATCH | The system must be configured to audit Logon/Logoff - Account Lockout failures." - win_audit_policy_system: + community.windows.win_audit_policy_system: subcategory: Account Lockout audit_type: "{{ win10stig_audit_settings.accnt_lockout_include_success | ternary ('success, failure', 'failure' ) }}" when: @@ -1077,7 +1077,7 @@ - V-220755 - name: "MEDIUM | WN10-AU-000060 | PATCH | The system must be configured to audit Logon/Logoff - Group Membership successes." - win_audit_policy_system: + community.windows.win_audit_policy_system: subcategory: Group Membership audit_type: "{{ win10stig_audit_settings.group_membership_include_failure | ternary ('success, failure', 'success' ) }}" when: @@ -1091,7 +1091,7 @@ - V-220756 - name: "MEDIUM | WN10-AU-000065 | PATCH | The system must be configured to audit Logon/Logoff - Logoff successes." - win_audit_policy_system: + community.windows.win_audit_policy_system: subcategory: Logoff audit_type: "{{ win10stig_audit_settings.logoff_include_failure | ternary ('success, failure', 'success' ) }}" when: @@ -1108,7 +1108,7 @@ - name: | "MEDIUM | WN10-AU-000070 | PATCH | The system must be configured to audit Logon/Logoff - Logon failures." "MEDIUM | WN10-AU-000075 | PATCH | The system must be configured to audit Logon/Logoff - Logon successes." - win_audit_policy_system: + community.windows.win_audit_policy_system: subcategory: Logon audit_type: "{{ (wn10_AU_000070 and not wn10_AU_000075) | ternary ('failure', '') }}{{ (wn10_AU_000075 and not wn10_AU_000070) | ternary ('success', '') }}{{ (wn10_AU_000070 and wn10_AU_000075) | ternary ('success, failure', '') }}" when: @@ -1127,7 +1127,7 @@ - V-220759 - name: "MEDIUM | WN10-AU-000080 | PATCH | The system must be configured to audit Logon/Logoff - Special Logon successes." - win_audit_policy_system: + community.windows.win_audit_policy_system: subcategory: Special Logon audit_type: "{{ win10stig_audit_settings.special_logon_include_failure | ternary ('success, failure', 'success' ) }}" when: @@ -1143,7 +1143,7 @@ - name: | "MEDIUM | WN10-AU-000081 | PATCH | Windows 10 must be configured to audit Object Access - File Share failures." "MEDIUM | WN10-AU-000082 | PATCH | Windows 10 must be configured to audit Object Access - File Share successes." - win_audit_policy_system: + community.windows.win_audit_policy_system: subcategory: File Share audit_type: "{{ (wn10_AU_000081 and not wn10_AU_000082) | ternary ('failure', '') }}{{ (wn10_AU_000082 and not wn10_AU_000081) | ternary ('success', '') }}{{ (wn10_AU_000081 and wn10_AU_000082) | ternary ('success, failure', '') }}" when: @@ -1163,7 +1163,7 @@ - name: | "MEDIUM | WN10-AU-000083 | PATCH | Windows 10 must be configured to audit Object Access - Other Object Access Events successes." "MEDIUM | WN10-AU-000084 | PATCH | Windows 10 must be configured to audit Object Access - Other Object Access Events failures." - win_audit_policy_system: + community.windows.win_audit_policy_system: subcategory: Other Object Access Events audit_type: "{{ (wn10_AU_000083 and not wn10_AU_000084) | ternary ('success', '') }}{{ (wn10_AU_000084 and not wn10_AU_000083) | ternary ('failure', '') }}{{ (wn10_AU_000083 and wn10_AU_000084) | ternary ('success, failure', '') }}" when: @@ -1183,7 +1183,7 @@ - name: | "MEDIUM | WN10-AU-000085 | PATCH | The system must be configured to audit Object Access - Removable Storage failures." "MEDIUM | WN10-AU-000090 | PATCH | The system must be configured to audit Object Access - Removable Storage successes." - win_audit_policy_system: + community.windows.win_audit_policy_system: subcategory: Removable Storage audit_type: "{{ (wn10_AU_000085 and not wn10_AU_000090) | ternary ('failure', '') }}{{ (wn10_AU_000090 and not wn10_AU_000085) | ternary ('success', '') }}{{ (wn10_AU_000085 and wn10_AU_000090) | ternary ('success, failure', '') }}" when: @@ -1201,7 +1201,7 @@ - V-220766 - name: "MEDIUM | WN10-AU-000100 | PATCH | The system must be configured to audit Policy Change - Audit Policy Change successes." - win_audit_policy_system: + community.windows.win_audit_policy_system: subcategory: Audit Policy Change audit_type: "{{ win10stig_audit_settings.audit_policy_change_include_failure | ternary ('success, failure', 'success' ) }}" when: @@ -1215,7 +1215,7 @@ - V-220767 - name: "MEDIUM | WN10-AU-000105 | PATCH | The system must be configured to audit Policy Change - Authentication Policy Change successes." - win_audit_policy_system: + community.windows.win_audit_policy_system: subcategory: Authentication Policy Change audit_type: "{{ win10stig_audit_settings.authentication_policy_change_include_failure | ternary ('success, failure', 'success' ) }}" when: @@ -1230,7 +1230,7 @@ - V-220768 - name: "MEDIUM | WN10-AU-000107 | PATCH | The system must be configured to audit Policy Change - Authorization Policy Change successes." - win_audit_policy_system: + community.windows.win_audit_policy_system: subcategory: Authorization Policy Change audit_type: "{{ win10stig_audit_settings.authorization_policy_change_include_failure | ternary ('success, failure', 'success' ) }}" when: @@ -1246,7 +1246,7 @@ - name: | "MEDIUM | WN10-AU-000110 | PATCH | The system must be configured to audit Privilege Use - Sensitive Privilege Use failures." "MEDIUM | WN10-AU-000115 | PATCH | The system must be configured to audit Privilege Use - Sensitive Privilege Use successes." - win_audit_policy_system: + community.windows.win_audit_policy_system: subcategory: Sensitive Privilege Use audit_type: "{{ (wn10_AU_000110 and not wn10_AU_000115) | ternary ('failure', '') }}{{ (wn10_AU_000115 and not wn10_AU_000110) | ternary ('success', '') }}{{ (wn10_AU_000110 and wn10_AU_000115) | ternary ('success, failure', '') }}" when: @@ -1265,7 +1265,7 @@ - V-220771 - name: "MEDIUM | WN10-AU-000120 | PATCH | The system must be configured to audit System - IPSec Driver failures." - win_audit_policy_system: + community.windows.win_audit_policy_system: subcategory: IPSec Driver audit_type: "{{ win10stig_audit_settings.ipsec_drive_include_success | ternary ('success, failure', 'failure' ) }}" when: @@ -1281,7 +1281,7 @@ - name: | "MEDIUM | WN10-AU-000130 | PATCH | The system must be configured to audit System - Other System Events successes." "MEDIUM | WN10-AU-000135 | PATCH | The system must be configured to audit System - Other System Events failures." - win_audit_policy_system: + community.windows.win_audit_policy_system: subcategory: Other System Events audit_type: "{{ (wn10_AU_000130 and not wn10_AU_000135) | ternary ('success', '') }}{{ (wn10_AU_000135 and not wn10_AU_000130) | ternary ('failure', '') }}{{ (wn10_AU_000130 and wn10_AU_000135) | ternary ('success, failure', '') }}" when: @@ -1299,7 +1299,7 @@ - V-220774 - name: "MEDIUM | WN10-AU-000140 | PATCH | The system must be configured to audit System - Security State Change successes." - win_audit_policy_system: + community.windows.win_audit_policy_system: subcategory: Security State Change audit_type: "{{ win10stig_audit_settings.security_state_change_include_failure | ternary ('success, failure', 'success' ) }}" when: @@ -1314,7 +1314,7 @@ - V-220775 - name: "MEDIUM | WN10-AU-000150 | PATCH | The system must be configured to audit System - Security System Extension successes." - win_audit_policy_system: + community.windows.win_audit_policy_system: subcategory: Security System Extension audit_type: "{{ win10stig_audit_settings.security_system_extension_include_failure | ternary ('success, failure', 'success' ) }}" when: @@ -1331,7 +1331,7 @@ - name: | "MEDIUM | WN10-AU-000155 | PATCH | The system must be configured to audit System - System Integrity failures." "MEDIUM | WN10-AU-000160 | PATCH | The system must be configured to audit System - System Integrity successes." - win_audit_policy_system: + community.windows.win_audit_policy_system: subcategory: System Integrity audit_type: "{{ (wn10_AU_000155 and not wn10_AU_000160) | ternary ('failure', '') }}{{ (wn10_AU_000160 and not wn10_AU_000155) | ternary ('success', '') }}{{ (wn10_AU_000155 and wn10_AU_000160) | ternary ('success, failure', '') }}" when: @@ -1350,7 +1350,7 @@ - V-220778 - name: "MEDIUM | WN10-AU-000500 | PATCH | The Application event log size must be configured to 32768 KB or greater." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application value: MaxSize state: present @@ -1367,7 +1367,7 @@ - V-220779 - name: "MEDIUM | WN10-AU-000505 | PATCH | The Security event log size must be configured to 1024000 KB or greater." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security value: MaxSize state: present @@ -1384,7 +1384,7 @@ - V-220780 - name: "MEDIUM | WN10-AU-000510 | PATCH | The System event log size must be configured to 32768 KB or greater." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\System value: MaxSize state: present @@ -1403,7 +1403,7 @@ - name: "MEDIUM | WN10-AU-000515 | AUDIT | Windows 10 permissions for the Application event log must prevent access by non-privileged accounts." block: - name: "MEDIUM | WN10-AU-000515 | PATCH | Windows 10 permissions for the Application event log must prevent access by non-privileged accounts. | Set Default Log Locations." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\EventLog\Application value: File state: present @@ -1412,14 +1412,14 @@ when: win10stig_default_log_location - name: "MEDIUM | WN10-AU-000515 | AUDIT | Windows 10 permissions for the Application event log must prevent access by non-privileged accounts. | Get Current Permissions For Default Application Log." - win_shell: get-acl c:\Windows\System32\winevt\Logs\Application.evtx | FL AccessToString + ansible.windows.win_shell: get-acl c:\Windows\System32\winevt\Logs\Application.evtx | FL AccessToString changed_when: false failed_when: false register: wn10_au_000515_app_log_permissions when: win10stig_default_log_location - name: "MEDIUM | WN10-AU-000515 | AUDIT | Windows 10 permissions for the Application event log must prevent access by non-privileged accounts. | Permissions warning for accounts." - debug: + ansible.builtin.debug: msg: - "Warning!! Ensure the permissions on the Application event log (Application.evtx) are configured" - "to prevent standard user accounts or groups from having access." @@ -1427,7 +1427,7 @@ when: win10stig_default_log_location - name: "MEDIUM | WN10-AU-000515 | AUDIT | Windows 10 permissions for the Application event log must prevent access by non-privileged accounts. | Warning message for default location change." - debug: + ansible.builtin.debug: msg: - "Warning!! The location of the logs is not set to default location." - "When adding Eventlog to the permissions, it must be entered as NT Service\\Eventlog." @@ -1455,7 +1455,7 @@ - name: "MEDIUM | WN10-AU-000520 | AUDIT | Windows 10 permissions for the Security event log must prevent access by non-privileged accounts." block: - name: "MEDIUM | WN10-AU-000520 | PATCH | Windows 10 permissions for the Security event log must prevent access by non-privileged accounts. | Set Default Log Locations." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\EventLog\Security value: File state: present @@ -1464,14 +1464,14 @@ when: win10stig_default_log_location - name: "MEDIUM | WN10-AU-000520 | AUDIT | Windows 10 permissions for the Security event log must prevent access by non-privileged accounts. | Get Current Permissions For Default Security Log." - win_shell: get-acl c:\Windows\System32\winevt\Logs\Security.evtx | FL AccessToString + ansible.windows.win_shell: get-acl c:\Windows\System32\winevt\Logs\Security.evtx | FL AccessToString changed_when: false failed_when: false register: wn10_au_000520_security_log_permissions when: win10stig_default_log_location - name: "MEDIUM | WN10-AU-000520 | AUDIT | Windows 10 permissions for the Security event log must prevent access by non-privileged accounts. | Permissions warning for accounts." - debug: + ansible.builtin.debug: msg: - "Warning!! Ensure the permissions on the Security event log (Security.evtx) are configured" - "to prevent standard user accounts or groups from having access." @@ -1479,7 +1479,7 @@ when: win10stig_default_log_location - name: "MEDIUM | WN10-AU-000520 | AUDIT | Windows 10 permissions for the Security event log must prevent access by non-privileged accounts. | Warning message for default location change." - debug: + ansible.builtin.debug: msg: - "Warning!! The location of the logs is not set to default location." - "When adding Eventlog to the permissions, it must be entered as NT Service\\Eventlog." @@ -1507,7 +1507,7 @@ - name: "MEDIUM | WN10-AU-000525 | AUDIT | Windows 10 permissions for the System event log must prevent access by non-privileged accounts." block: - name: "MEDIUM | WN10-AU-000525 | PATCH | Windows 10 permissions for the System event log must prevent access by non-privileged accounts. | Set Default Log Locations." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\EventLog\System value: File state: present @@ -1516,14 +1516,14 @@ when: win10stig_default_log_location - name: "MEDIUM | WN10-AU-000525 | AUDIT | Windows 10 permissions for the System event log must prevent access by non-privileged accounts. | Get Current Permissions For Default System Log." - win_shell: get-acl c:\Windows\System32\winevt\Logs\System.evtx | FL AccessToString + ansible.windows.win_shell: get-acl c:\Windows\System32\winevt\Logs\System.evtx | FL AccessToString changed_when: false failed_when: false register: wn10_au_000520_system_log_permissions when: win10stig_default_log_location - name: "MEDIUM | WN10-AU-000525 | AUDIT | Windows 10 permissions for the System event log must prevent access by non-privileged accounts. | Permissions warning for accounts." - debug: + ansible.builtin.debug: msg: - "Warning!! Ensure the permissions on the Security event log (System.evtx) are configured" - "to prevent standard user accounts or groups from having access." @@ -1531,7 +1531,7 @@ when: win10stig_default_log_location - name: "MEDIUM | WN10-AU-000525 | AUDIT | Windows 10 permissions for the System event log must prevent access by non-privileged accounts. | Warning message for default location change." - debug: + ansible.builtin.debug: msg: - "Warning!! The location of the logs is not set to default location." - "When adding Eventlog to the permissions, it must be entered as NT Service\\Eventlog." @@ -1557,7 +1557,7 @@ - V-220784 - name: "MEDIUM | WN10-AU-000555 | PATCH | Windows 10 must be configured to audit Other Policy Change Events Failures." - win_audit_policy_system: + community.windows.win_audit_policy_system: subcategory: Other Policy Change Events audit_type: failure when: @@ -1573,7 +1573,7 @@ - name: | "MEDIUM | WN10-AU-000560 | PATCH | Windows 10 must be configured to audit other Logon/Logoff Events Successes." "MEIDUM | WN10-AU-000565 | PATCH | Windows 10 must be configured to audit other Logon/Logoff Events Failures." - win_audit_policy_system: + community.windows.win_audit_policy_system: subcategory: Other Logon/Logoff Events audit_type: "{{ (wn10_AU_000560 and not wn10_AU_000565) | ternary ('success', '') }}{{ (wn10_AU_000565 and not wn10_AU_000560) | ternary ('failure', '') }}{{ (wn10_AU_000560 and wn10_AU_000565) | ternary ('success, failure', '') }}" when: @@ -1591,7 +1591,7 @@ - V-220788 - name: "MEDIUM | WN10-AU-000570 | PATCH | Windows 10 must be configured to audit Detailed File Share Failures." - win_audit_policy_system: + community.windows.win_audit_policy_system: subcategory: Detailed File Share audit_type: "{{ win10stig_audit_settings.detailed_file_share_include_success | ternary ('success, failure', 'failure' ) }}" when: @@ -1607,7 +1607,7 @@ - name: | "MEDIUM | WN10-AU-000575 | PATCH | Windows 10 must be configured to audit MPSSVC Rule-Level Policy Change Successes." "MEDIUM | WN10-AU-000580 | PATCH | Windows 10 must be configured to audit MPSSVC Rule-Level Policy Change Failures." - win_audit_policy_system: + community.windows.win_audit_policy_system: subcategory: MPSSVC Rule-Level Policy Change audit_type: "{{ (wn10_AU_000575 and not wn10_AU_000580) | ternary ('success', '') }}{{ (wn10_AU_000580 and not wn10_AU_000575) | ternary ('failure', '') }}{{ (wn10_AU_000575 and wn10_AU_000580) | ternary ('success, failure', '') }}" when: @@ -1625,7 +1625,7 @@ - V-220791 - name: "MEDIUM | WN10-CC-000005 | PATCH | Camera access from the lock screen must be disabled." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Personalization value: NoLockScreenCamera data: 1 @@ -1641,7 +1641,7 @@ - V-220792 - name: "MEDIUM | WN10-CC-000007 | PATCH | Windows 10 must cover or disable the built-in or attached camera when not in use." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam value: Value data: deny @@ -1657,7 +1657,7 @@ - V-220793 - name: "MEDIUM | WN10-CC-000010 | PATCH | The display of slide shows on the lock screen must be disabled." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Personalization value: NoLockScreenSlideshow data: 1 @@ -1673,7 +1673,7 @@ - V-220794 - name: "MEDIUM | WN10-CC-000020 | PATCH | IPv6 source routing must be configured to highest protection." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters value: DisableIpSourceRouting data: 2 @@ -1689,7 +1689,7 @@ - V-220795 - name: "MEDIUM | WN10-CC-000025 | PATCH | The system must be configured to prevent IP source routing." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters value: DisableIPSourceRouting data: 2 @@ -1705,7 +1705,7 @@ - V-220796 - name: "MEDIUM | WN10-CC-000037 | PATCH | Local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System value: LocalAccountTokenFilterPolicy data: 0 @@ -1722,7 +1722,7 @@ - V-220799 - name: "MEDIUM | WN10-CC-000038 | PATCH | WDigest Authentication must be disabled." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest value: UseLogonCredential data: 0 @@ -1738,7 +1738,7 @@ - V-220800 - name: "MEDIUM | WN10-CC-000039 | PATCH | Run as different user must be removed from context menus." - win_regedit: + ansible.windows.win_regedit: path: HKLM:{{ item }} value: SuppressionPolicy data: 4096 @@ -1759,7 +1759,7 @@ - V-220801 - name: "MEDIUM | WN10-CC-000040 | PATCH | Insecure logons to an SMB server must be disabled." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation value: AllowInsecureGuestAuth data: 0 @@ -1775,7 +1775,7 @@ - V-220802 - name: "MEDIUM | WN10-CC-000044 | PATCH | Internet connection sharing must be disabled." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Network Connections value: NC_ShowSharedAccessUI data: 0 @@ -1791,7 +1791,7 @@ - V-220803 - name: "MEDIUM | WN10-CC-000050 | PATCH | Hardened UNC Paths must be defined to require mutual authentication and integrity for at least the SYSVOL and NETLOGON shares." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths value: "{{ item }}" data: RequireMutualAuthentication=1, RequireIntegrity=1 @@ -1811,7 +1811,7 @@ - V-250319 - name: "MEDIUM | WN10-CC-000052 | PATCH | Windows 10 must be configured to prioritize ECC Curves with longer key lengths first." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002 value: EccCurves data: NistP384 NistP256 @@ -1827,7 +1827,7 @@ - V-220805 - name: "MEDIUM | WN10-CC-000055 | PATCH | Simultaneous connections to the Internet or a Windows domain must be limited." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy value: fMinimizeConnections data: 3 @@ -1843,7 +1843,7 @@ - V-220806 - name: "MEDIUM | WN10-CC-000060 | PATCH | Connections to non-domain networks when connected to a domain authenticated network must be blocked." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy value: fBlockNonDomain data: 1 @@ -1861,7 +1861,7 @@ # This functionality has been removed in Windows 10 v1803 and newer and is not applicable to those newer versions - name: "MEDIUM | WN10-CC-000065 | PATCH | Wi-Fi Sense must be disabled." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config value: AutoConnectAllowedOEM data: 0 @@ -1878,7 +1878,7 @@ - V-220808 - name: "MEDIUM | WN10-CC-000066 | PATCH | Command line data must be included in process creation events." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit value: ProcessCreationIncludeCmdLine_Enabled data: 1 @@ -1895,7 +1895,7 @@ # This control is not applicable to Windows 10 version 1507 and 1607 - name: "MEDIUM | WN10-CC-000068 | PATCH | Windows 10 must be configured to enable Remote host allows delegation of non-exportable credentials." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation value: AllowProtectedCreds data: 1 @@ -1913,7 +1913,7 @@ - V-220810 - name: "MEDIUM | WN10-CC-000085 | PATCH | Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Policies\EarlyLaunch value: DriverLoadPolicy data: "{{ win10stig_boot_driver_init_policy }}" @@ -1929,7 +1929,7 @@ - V-220813 - name: "MEDIUM | WN10-CC-000090 | PATCH | Group Policy objects must be reprocessed even if they have not changed." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} value: NoGPOListChanges data: 0 @@ -1945,7 +1945,7 @@ - V-220814 - name: "MEDIUM | WN10-CC-000100 | PATCH | Downloading print driver packages over HTTP must be prevented." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers value: DisableWebPnPDownload data: 1 @@ -1961,7 +1961,7 @@ - V-220815 - name: "MEDIUM | WN10-CC-000105 | PATCH | Web publishing and online ordering wizards must be prevented from downloading a list of providers." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer value: NoWebServices data: 1 @@ -1977,7 +1977,7 @@ - V-220816 - name: "MEDIUM | WN10-CC-000110 | PATCH | Printing over HTTP must be prevented." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers value: DisableHTTPPrinting data: 1 @@ -1993,7 +1993,7 @@ - V-220817 - name: "MEDIUM | WN10-CC-000115 | PATCH | Systems must at least attempt device authentication using certificates." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters value: DevicePKInitEnabled data: 1 @@ -2010,7 +2010,7 @@ - V-220818 - name: "MEDIUM | WN10-CC-000120 | PATCH | The network selection user interface (UI) must not be displayed on the logon screen." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System value: DontDisplayNetworkSelectionUI data: 1 @@ -2026,7 +2026,7 @@ - V-220819 - name: "MEDIUM | WN10-CC-000130 | PATCH | Local users on domain-joined computers must not be enumerated." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System value: EnumerateLocalUsers data: 0 @@ -2043,7 +2043,7 @@ - V-220820 - name: "MEDIUM | WN10-CC-000145 | PATCH | Users must be prompted for a password on resume from sleep (on battery)." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 value: DCSettingIndex data: 1 @@ -2059,7 +2059,7 @@ - V-220821 - name: "MEDIUM | WN10-CC-000150 | PATCH | The user must be prompted for a password on resume from sleep (plugged in)." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 value: ACSettingIndex data: 1 @@ -2075,7 +2075,7 @@ - V-220822 - name: "MEDIUM | WN10-CC-000165 | PATCH | Unauthenticated RPC clients must be restricted from connecting to the RPC server." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Rpc value: RestrictRemoteClients data: 1 @@ -2092,7 +2092,7 @@ # Windows 10 v1507 LTSB version does not include this setting and this control is NA to those systems - name: "MEDIUM | WN10-CC-000195 | PATCH | Enhanced anti-spoofing for facial recognition must be enabled on Window 10." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures value: EnhancedAntiSpoofing data: 1 @@ -2109,7 +2109,7 @@ - V-220830 - name: "MEDIUM | WN10-CC-000200 | PATCH | Administrator accounts must not be enumerated during elevation." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI value: EnumerateAdministrators data: 0 @@ -2125,7 +2125,7 @@ - V-220832 - name: "MEDIUM | WN10-CC-000204 | PATCH | If Enhanced diagnostic data is enabled it must be limited to the minimum required to support Windows Analytics." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection value: LimitEnhancedDiagnosticDataWindowsAnalytics data: 1 @@ -2143,7 +2143,7 @@ - V-220833 - name: "MEDIUM | WN10-CC-000205 | PATCH | Windows Telemetry must not be configured to Full." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection value: AllowTelemetry data: "{{ win10stig_allow_telemetry_value }}" @@ -2161,14 +2161,14 @@ - name: "MEDIUM | WN10-CC-000210 | PATCH | The Windows Defender SmartScreen for Explorer must be enabled." block: - name: "MEDIUM | WN10-CC-000210 | PATCH | The Windows Defender SmartScreen for Explorer must be enabled. | SmartScreen enable" - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System value: EnableSmartScreen data: 1 type: dword - name: "MEDIUM | WN10-CC-000210 | PATCH | The Windows Defender SmartScreen for Explorer must be enabled. | Block ShellSmartScreen" - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System value: ShellSmartScreenLevel data: Block @@ -2184,7 +2184,7 @@ - V-220836 - name: "MEDIUM | WN10-CC-000215 | PATCH | Explorer Data Execution Prevention must be enabled." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer value: NoDataExecutionPrevention data: 0 @@ -2200,7 +2200,7 @@ - V-220837 - name: "MEDIUM | WN10-CC-000225 | PATCH | File Explorer shell protocol must run in protected mode." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer value: PreXPSP2ShellProtocolBehavior data: 0 @@ -2216,7 +2216,7 @@ - V-220839 - name: "MEDIUM | WN10-CC-000230 | PATCH | Users must not be allowed to ignore Windows Defender SmartScreen filter warnings for malicious websites in Microsoft Edge." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter value: PreventOverride data: 1 @@ -2232,7 +2232,7 @@ - V-220840 - name: "MEDIUM | WN10-CC-000235 | PATCH | Users must not be allowed to ignore Windows Defender SmartScreen filter warnings for unverified files in Microsoft Edge." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter value: PreventOverrideAppRepUnknown data: 1 @@ -2248,7 +2248,7 @@ - V-220841 - name: "MEDIUM | WN10-CC-000238 | PATCH | Windows 10 must be configured to prevent certificate error overrides in Microsoft Edge." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Internet Settings value: PreventCertErrorOverrides data: 1 @@ -2264,7 +2264,7 @@ - V-220842 - name: "MEDIUM | WN10-CC-000245 | PATCH | The password manager function in the Edge browser must be disabled." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main value: FormSuggest Passwords data: no # yamllint disable-line rule:truthy @@ -2280,7 +2280,7 @@ - V-220843 - name: "MEDIUM | WN10-CC-000250 | PATCH | The Windows Defender SmartScreen filter for Microsoft Edge must be enabled." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter value: EnabledV9 data: 1 @@ -2296,7 +2296,7 @@ - V-220844 - name: "MEDIUM | WN10-CC-000252 | PATCH | Windows 10 must be configured to disable Windows Game Recording and Broadcasting." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\GameDVR value: AllowGameDVR data: 0 @@ -2312,7 +2312,7 @@ - V-220845 - name: "MEDIUM | WN10-CC-000255 | PATCH | The use of a hardware security device with Windows Hello for Business must be enabled." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\PassportForWork value: RequireSecurityDevice data: 1 @@ -2328,7 +2328,7 @@ - V-220846 - name: "MEDIUM | WN10-CC-000260 | PATCH | Windows 10 must be configured to require a minimum pin length of six characters or greater." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\PassportForWork\PINComplexity value: MinimumPINLength data: "{{ win10stig_min_pin_length }}" @@ -2344,7 +2344,7 @@ - V-220847 - name: "MEDIUM | WN10-CC-000270 | PATCH | Passwords must not be saved in the Remote Desktop Client." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services value: DisablePasswordSaving data: 1 @@ -2360,7 +2360,7 @@ - V-220848 - name: "MEDIUM | WN10-CC-000275 | PATCH | Local drives must be prevented from sharing with Remote Desktop Session Hosts." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services value: fDisableCdm data: 1 @@ -2376,7 +2376,7 @@ - V-220849 - name: "MEDIUM | WN10-CC-000280 | PATCH | Remote Desktop Services must always prompt a client for passwords upon connection." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services value: fPromptForPassword data: 1 @@ -2392,7 +2392,7 @@ - V-220850 - name: "MEDIUM | WN10-CC-000285 | PATCH | The Remote Desktop Session Host must require secure RPC communications." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services value: fEncryptRPCTraffic data: 1 @@ -2408,7 +2408,7 @@ - V-220851 - name: "MEDIUM | WN10-CC-000290 | PATCH | Remote Desktop Services must be configured with the client connection encryption set to the required level." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services value: MinEncryptionLevel data: 3 @@ -2425,7 +2425,7 @@ - V-220852 - name: "MEDIUM | WN10-CC-000295 | PATCH | Attachments must be prevented from being downloaded from RSS feeds." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds value: DisableEnclosureDownload data: 1 @@ -2441,7 +2441,7 @@ - V-220853 - name: "MEDIUM | WN10-CC-000300 | PATCH | Basic authentication for RSS feeds over HTTP must not be used." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds value: AllowBasicAuthInClear data: 0 @@ -2457,7 +2457,7 @@ - V-220854 - name: "MEDIUM | WN10-CC-000305 | PATCH | Indexing of encrypted files must be turned off." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search value: AllowIndexingEncryptedStoresOrItems data: 0 @@ -2473,7 +2473,7 @@ - V-220855 - name: "MEDIUM | WN10-CC-000310 | PATCH | Users must be prevented from changing installation options." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer value: EnableUserControl data: 0 @@ -2489,7 +2489,7 @@ - V-220856 - name: "MEDIUM | WN10-CC-000320 | PATCH | Users must be notified if a web-based program attempts to install software." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer value: SafeForScripting data: 0 @@ -2505,7 +2505,7 @@ - V-220858 - name: "MEDIUM | WN10-CC-000325 | PATCH | Automatically signing in the last interactive user after a system-initiated restart must be disabled." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System value: DisableAutomaticRestartSignOn data: 1 @@ -2521,7 +2521,7 @@ - V-220859 - name: "MEDIUM | WN10-CC-000326 | PATCH | PowerShell script block logging must be enabled on Windows 10." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging value: EnableScriptBlockLogging data: 1 @@ -2537,7 +2537,7 @@ - V-220860 - name: "MEDIUM | WN10-CC-000328 | PATCH | The Windows Explorer Preview pane must be disabled for Windows 10." - win_regedit: + ansible.windows.win_regedit: path: HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer value: "{{ item }}" data: 1 @@ -2556,7 +2556,7 @@ - V-220861 - name: "MEDIUM | WN10-CC-000335 | PATCH | The Windows Remote Management (WinRM) client must not allow unencrypted traffic." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client value: AllowUnencryptedTraffic data: 0 @@ -2573,7 +2573,7 @@ - V-220863 - name: "MEDIUM | WN10-CC-000350 | PATCH | The Windows Remote Management (WinRM) service must not allow unencrypted traffic." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service value: AllowUnencryptedTraffic data: 0 @@ -2590,7 +2590,7 @@ - V-220866 - name: "MEDIUM | WN10-CC-000355 | PATCH | The Windows Remote Management (WinRM) service must not store RunAs credentials." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service value: DisableRunAs data: 1 @@ -2606,7 +2606,7 @@ - V-220867 - name: "MEDIUM | WN10-CC-000360 | PATCH | The Windows Remote Management (WinRM) client must not use Digest authentication." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client value: AllowDigest data: 0 @@ -2623,7 +2623,7 @@ # If "Allow voice activation” policy is configured to disallow applications to be activated with voice for all users this control is NA - name: "MEDIUM | WN10-CC-000365 | PATCH | Windows 10 must be configured to prevent Windows apps from being activated by voice while the system is locked." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy value: LetAppsActivateWithVoiceAboveLock data: 2 @@ -2640,7 +2640,7 @@ - V-220869 - name: "MEDIUM | WN10-CC-000370 | PATCH | The convenience PIN for Windows 10 must be disabled." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\System value: AllowDomainPINLogon data: 0 @@ -2656,7 +2656,7 @@ - V-220870 - name: "MEDIUM | WN10-CC-000385 | PATCH | Windows Ink Workspace must be configured to disallow access above the lock." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\WindowsInkWorkspace value: AllowWindowsInkWorkspace data: 1 @@ -2672,7 +2672,7 @@ - V-220871 - name: "MEDIUM | WN10-EP-000310 | PATCH | Windows 10 Kernel (Direct Memory Access) DMA Protection must be enabled." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Kernel DMA Protection value: DeviceEnumerationPolicy data: 0 @@ -2690,39 +2690,39 @@ - name: "MEDIUM | WN10-PK-000005 | AUDIT | The DoD Root CA certificates must be installed in the Trusted Root Store." block: - name: "MEDIUM | WN10-PK-000005 | AUDIT | The DoD Root CA certificates must be installed in the Trusted Root Store. | Check For DOD Root CA 3." - win_shell: Get-ChildItem -Path Cert:Localmachine\root | Where {$_.Subject -Like "*DoD Root CA 3*" -and $_.Thumbprint -Like "D73CA91102A2204A36459ED32213B467D7CE97FB"} | FL Subject, Issuer, Thumbprint, NotAfter + ansible.windows.win_shell: Get-ChildItem -Path Cert:Localmachine\root | Where {$_.Subject -Like "*DoD Root CA 3*" -and $_.Thumbprint -Like "D73CA91102A2204A36459ED32213B467D7CE97FB"} | FL Subject, Issuer, Thumbprint, NotAfter changed_when: false failed_when: false register: wn10_pk_000005_root_3_Check - name: "MEDIUM | WN10-PK-000005 | AUDIT | The DoD Root CA certificates must be installed in the Trusted Root Store. | Warning!! No DOD Root CA 3 Certificate Installed." - debug: + ansible.builtin.debug: msg: - "Warning!! The DOD Root CA 3 is not installed on the system or" - "contains a incorrect Thumbprint for the Root CA Certificate." when: wn10_pk_000005_root_3_Check.stdout == "" - name: "MEDIUM | WN10-PK-000005 | AUDIT | The DoD Root CA certificates must be installed in the Trusted Root Store. | Check For DOD Root CA 4." - win_shell: Get-ChildItem -Path Cert:Localmachine\root | Where {$_.Subject -Like "*DoD Root CA 4*" -and $_.Thumbprint -Like "B8269F25DBD937ECAFD4C35A9838571723F2D026"} | FL Subject, Issuer, Thumbprint, NotAfter + ansible.windows.win_shell: Get-ChildItem -Path Cert:Localmachine\root | Where {$_.Subject -Like "*DoD Root CA 4*" -and $_.Thumbprint -Like "B8269F25DBD937ECAFD4C35A9838571723F2D026"} | FL Subject, Issuer, Thumbprint, NotAfter changed_when: false failed_when: false register: wn10_pk_000005_root_4_Check - name: "MEDIUM | WN10-PK-000005 | AUDIT | The DoD Root CA certificates must be installed in the Trusted Root Store. | Warning!! No DOD Root CA 4 Certificate Installed." - debug: + ansible.builtin.debug: msg: - "Warning!! The DOD Root CA 4 is not installed on the system or" - "contains a incorrect Thumbprint for the Root CA Certificate." when: wn10_pk_000005_root_4_Check.stdout == "" - name: "MEDIUM | WN10-PK-000005 | AUDIT | The DoD Root CA certificates must be installed in the Trusted Root Store. | Check For DOD Root CA 5." - win_shell: Get-ChildItem -Path Cert:Localmachine\root | Where {$_.Subject -Like "*DoD Root CA 5*" -and $_.Thumbprint -Like "4ECB5CC3095670454DA1CBD410FC921F46B8564B"} | FL Subject, Issuer, Thumbprint, NotAfter + ansible.windows.win_shell: Get-ChildItem -Path Cert:Localmachine\root | Where {$_.Subject -Like "*DoD Root CA 5*" -and $_.Thumbprint -Like "4ECB5CC3095670454DA1CBD410FC921F46B8564B"} | FL Subject, Issuer, Thumbprint, NotAfter changed_when: false failed_when: false register: wn10_pk_000005_root_5_Check - name: "MEDIUM | WN10-PK-000005 | AUDIT | The DoD Root CA certificates must be installed in the Trusted Root Store. | Warning!! No DOD Root CA 5 Certificate Installed." - debug: + ansible.builtin.debug: msg: - "Warning!! The DOD Root CA 5 is not installed on the system or" - "contains a incorrect Thumbprint for the Root CA Certificate." @@ -2750,26 +2750,26 @@ - name: "MEDIUM | WN10-PK-000010 | PATCH | The External Root CA certificates must be installed in the Trusted Root Store on unclassified systems." block: - name: "MEDIUM | WN10-PK-000010 | PATCH | The External Root CA certificates must be installed in the Trusted Root Store on unclassified systems. | Check For ECA Root CA 2." - win_shell: Get-ChildItem -Path Cert:Localmachine\root | Where {$_.Subject -Like "*ECA Root CA 2*" -and $_.Thumbprint -Like "C313F919A6ED4E0E8451AFA930FB419A20F181E4"} | FL Subject, Issuer, Thumbprint, NotAfter + ansible.windows.win_shell: Get-ChildItem -Path Cert:Localmachine\root | Where {$_.Subject -Like "*ECA Root CA 2*" -and $_.Thumbprint -Like "C313F919A6ED4E0E8451AFA930FB419A20F181E4"} | FL Subject, Issuer, Thumbprint, NotAfter changed_when: false failed_when: false register: wn10_pk_000010_eca_2_check - name: "MEDIUM | WN10-PK-000010 | PATCH | The External Root CA certificates must be installed in the Trusted Root Store on unclassified systems. | Warning!! No ECA Root CA 2 Certificate Installed." - debug: + ansible.builtin.debug: msg: - "Warning!! The ECA Root CA 2 is not installed on the system or" - "contains a incorrect Thumbprint for the Root CA Certificate." when: wn10_pk_000010_eca_2_check.stdout == "" - name: "MEDIUM | WN10-PK-000010 | PATCH | The External Root CA certificates must be installed in the Trusted Root Store on unclassified systems. | Check For ECA Root CA 4." - win_shell: Get-ChildItem -Path Cert:Localmachine\root | Where {$_.Subject -Like "*ECA Root CA 4*" -and $_.Thumbprint -Like "73E8BB08E337D6A5A6AEF90CFFDD97D9176CB582"} | FL Subject, Issuer, Thumbprint, NotAfter + ansible.windows.win_shell: Get-ChildItem -Path Cert:Localmachine\root | Where {$_.Subject -Like "*ECA Root CA 4*" -and $_.Thumbprint -Like "73E8BB08E337D6A5A6AEF90CFFDD97D9176CB582"} | FL Subject, Issuer, Thumbprint, NotAfter changed_when: false failed_when: false register: wn10_pk_000010_eca_4_check - name: "MEDIUM | WN10-PK-000010 | PATCH | The External Root CA certificates must be installed in the Trusted Root Store on unclassified systems. | Warning!! No ECA Root CA 4 Certificate Installed." - debug: + ansible.builtin.debug: msg: - "Warning!! The ECA Root CA 4 is not installed on the system or" - "contains a incorrect Thumbprint for the Root CA Certificate." @@ -2795,26 +2795,26 @@ - name: "MEDIUM | WN10-PK-000015 | PATCH | The DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems." block: - name: "MEDIUM | WN10-PK-000015 | PATCH | The DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems. | DoD Interoperability Root CA 2 AC Thumb Check." - win_shell: Get-ChildItem -Path Cert:Localmachine\disallowed | Where {$_.Issuer -Like "*DoD Interoperability*" -and $_.Subject -Like "*DoD*" -and $_.Thumbprint -Like "AC06108CA348CC03B53795C64BF84403C1DBD341"} | FL Subject, Issuer, Thumbprint, NotAfter + ansible.windows.win_shell: Get-ChildItem -Path Cert:Localmachine\disallowed | Where {$_.Issuer -Like "*DoD Interoperability*" -and $_.Subject -Like "*DoD*" -and $_.Thumbprint -Like "AC06108CA348CC03B53795C64BF84403C1DBD341"} | FL Subject, Issuer, Thumbprint, NotAfter changed_when: false failed_when: false register: wn10_pk_000015_interop_check_for_ac - name: "MEDIUM | WN10-PK-000015 | PATCH | The DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems. | Warning!! No DoD Interoperability Root CA 2 Certificate Installed." - debug: + ansible.builtin.debug: msg: - "Warning!! The DoD Root CA 3 - DoD Interoperability Root CA 2 certificate is not installed on the system or" - "does not contain Thumbprint AC06108CA348CC03B53795C64BF84403C1DBD341 for the Certificate." when: wn10_pk_000015_interop_check_for_ac.stdout == "" - name: "MEDIUM | WN10-PK-000015 | PATCH | The DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems. | DoD Interoperability Root CA 2 49 Thumb Check." - win_shell: Get-ChildItem -Path Cert:Localmachine\disallowed | Where {$_.Issuer -Like "*DoD Interoperability*" -and $_.Subject -Like "*DoD*" -and $_.Thumbprint -Like "49CBE933151872E17C8EAE7F0ABA97FB610F6477"} | FL Subject, Issuer, Thumbprint, NotAfter + ansible.windows.win_shell: Get-ChildItem -Path Cert:Localmachine\disallowed | Where {$_.Issuer -Like "*DoD Interoperability*" -and $_.Subject -Like "*DoD*" -and $_.Thumbprint -Like "49CBE933151872E17C8EAE7F0ABA97FB610F6477"} | FL Subject, Issuer, Thumbprint, NotAfter changed_when: false failed_when: false register: wn10_pk_000015_interop_check_for_49 - name: "MEDIUM | WN10-PK-000015 | PATCH | The DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems. | Warning!! No DoD Interoperability Root CA 2 Certificate Installed." - debug: + ansible.builtin.debug: msg: - "Warning!! The DoD Root CA 3 - DoD Interoperability Root CA 2 certificate is not installed on the system or" - "does not contain Thumbprint 49CBE933151872E17C8EAE7F0ABA97FB610F6477 for the Certificate." @@ -2841,13 +2841,13 @@ - name: "MEDIUM | WN10-PK-000020 | PATCH | The US DoD CCEB Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems." block: - name: "MEDIUM | WN10-PK-000020 | PATCH | The US DoD CCEB Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems. | DoD CCEB Interop Check." - win_shell: Get-ChildItem -Path Cert:Localmachine\disallowed | Where {$_.Issuer -Like "*US DoD CCEB Interoperability Root CA 2*" -and $_.Subject -Like "*DoD Root CA 3*" -and $_.Thumbprint -Like "AF132AC65DE86FC4FB3FE51FD637EBA0FF0B12A9"} | FL Subject, Issuer, Thumbprint, NotAfter + ansible.windows.win_shell: Get-ChildItem -Path Cert:Localmachine\disallowed | Where {$_.Issuer -Like "*US DoD CCEB Interoperability Root CA 2*" -and $_.Subject -Like "*DoD Root CA 3*" -and $_.Thumbprint -Like "AF132AC65DE86FC4FB3FE51FD637EBA0FF0B12A9"} | FL Subject, Issuer, Thumbprint, NotAfter changed_when: false failed_when: false register: wn10_pk_000020_cceb_interop_check - name: "MEDIUM | WN10-PK-000020 | PATCH | The US DoD CCEB Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems. | Warning!! No DoD Root CA 3 - US DoD CCEB Interoperability Certificate Installed." - debug: + ansible.builtin.debug: msg: - "Warning!! The DoD Root CA 3 - US DoD CCEB Interoperability Root CA 2 certificate is not installed on the system or" - "does not contain Thumbprint AF132AC65DE86FC4FB3FE51FD637EBA0FF0B12A9 for the Certificate." @@ -2870,7 +2870,7 @@ - V-220906 - name: "MEDIUM | WN10-RG-000005 | PATCH | Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained." - win_shell: echo true + ansible.windows.win_shell: echo true changed_when: false failed_when: false when: @@ -2886,7 +2886,7 @@ - notimplemented - name: "MEDIUM | WN10-SO-000005 | PATCH | The built-in administrator account must be disabled." - win_security_policy: + community.windows.win_security_policy: section: System Access key: EnableAdminAccount value: 0 @@ -2901,7 +2901,7 @@ - V-220908 - name: "MEDIUM | WN10-SO-000010 | PATCH | The built-in guest account must be disabled." - win_security_policy: + community.windows.win_security_policy: section: System Access key: EnableGuestAccount value: 0 @@ -2916,7 +2916,7 @@ - V-220909 - name: "MEDIUM | WN10-SO-000015 | PATCH | Local accounts with blank passwords must be restricted to prevent access from the network." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa value: LimitBlankPasswordUse data: 1 @@ -2932,7 +2932,7 @@ - V-220910 - name: "MEDIUM | WN10-SO-000020 | PATCH | The built-in administrator account must be renamed." - win_security_policy: + community.windows.win_security_policy: section: System Access key: NewAdministratorName value: "{{ win10stig_new_administrator_name }}" @@ -2947,7 +2947,7 @@ - V-220911 - name: "MEDIUM | WN10-SO-000025 | PATCH | The built-in guest account must be renamed." - win_security_policy: + community.windows.win_security_policy: section: System Access key: NewGuestName value: "{{ win10stig_new_guest_name }}" @@ -2962,7 +2962,7 @@ - V-220912 - name: "MEDIUM | WN10-SO-000030 | PATCH | Audit policy using subcategories must be enabled" - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa value: SCENoApplyLegacyAuditPolicy data: 1 @@ -2978,7 +2978,7 @@ - V-220913 - name: "MEDIUM | WN10-SO-000035 | PATCH | Outgoing secure channel traffic must be encrypted or signed." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters value: RequireSignOrSeal data: 1 @@ -2995,7 +2995,7 @@ - V-220914 - name: "MEDIUM | WN10-SO-000040 | PATCH | Outgoing secure channel traffic must be encrypted when possible." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters value: SealSecureChannel data: 1 @@ -3012,7 +3012,7 @@ - V-220915 - name: "MEDIUM | WN10-SO-000045 | PATCH | Outgoing secure channel traffic must be signed when possible." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters value: SignSecureChannel data: 1 @@ -3029,7 +3029,7 @@ - V-220916 - name: "MEDIUM | WN10-SO-000060 | PATCH | The system must be configured to require a strong session key." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters value: RequireStrongKey data: 1 @@ -3046,7 +3046,7 @@ - V-220919 - name: "MEDIUM | WN10-SO-000070 | PATCH | The machine inactivity limit must be set to 15 minutes, locking the system with the screensaver." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System value: InactivityTimeoutSecs data: "{{ win10stig_inactivity_timeout }}" @@ -3062,7 +3062,7 @@ - V-220920 - name: "MEDIUM | WN10-SO-000075 | PATCH | The required legal notice must be configured to display before console logon." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System value: LegalNoticeText data: "{{ win10stig_legalnotice }}" @@ -3084,7 +3084,7 @@ - V-220921 - name: "MEDIUM | WN10-SO-000095 | PATCH | The Smart Card removal option must be configured to Force Logoff or Lock Workstation." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon value: SCRemoveOption data: "{{ win10stig_smartcard_remove_action }}" @@ -3100,7 +3100,7 @@ - V-220924 - name: "MEDIUM | WN10-SO-000100 | PATCH | The Windows SMB client must be configured to always perform SMB packet signing." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters value: RequireSecuritySignature data: 1 @@ -3117,7 +3117,7 @@ - V-220925 - name: "MEDIUM | WN10-SO-000110 | PATCH | Unencrypted passwords must not be sent to third-party SMB Servers." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters value: EnablePlainTextPassword data: 0 @@ -3133,7 +3133,7 @@ - V-220926 - name: "MEDIUM | WN10-SO-000120 | PATCH | The Windows SMB server must be configured to always perform SMB packet signing." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters value: RequireSecuritySignature data: 1 @@ -3152,7 +3152,7 @@ - name: | "MEDIUM | WN10-SO-000160 | PATCH | The system must be configured to prevent anonymous users from having the same rights as the Everyone group." "MEDIUM | WN10-00-000095 | PATCH | Permissions for system files and directories must conform to minimum requirements." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa value: EveryoneIncludesAnonymous data: 0 @@ -3174,7 +3174,7 @@ - V-220717 - name: "MEDIUM | WN10-SO-000167 | PATCH | Remote calls to the Security Account Manager (SAM) must be restricted to Administrators." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa value: RestrictRemoteSAM data: O:BAG:BAD:(A;;RC;;;BA) @@ -3190,7 +3190,7 @@ - V-220933 - name: "MEDIUM | WN10-SO-000180 | PATCH | NTLM must be prevented from falling back to a Null session." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Control\LSA\MSV1_0 value: allownullsessionfallback data: 0 @@ -3206,7 +3206,7 @@ - V-220934 - name: "MEDIUM | WN10-SO-000185 | PATCH | PKU2U authentication using online identities must be prevented." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Control\LSA\pku2u value: AllowOnlineID data: 0 @@ -3222,7 +3222,7 @@ - V-220935 - name: "MEDIUM | WN10-SO-000190 | PATCH | Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters value: SupportedEncryptionTypes data: 2147483640 @@ -3238,7 +3238,7 @@ - V-220936 - name: "MEDIUM | WN10-SO-000210 | PATCH | The system must be configured to the required LDAP client signing level." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\LDAP value: LDAPClientIntegrity data: 1 @@ -3254,7 +3254,7 @@ - V-220939 - name: "MEDIUM | WN10-SO-000215 | PATCH | The system must be configured to meet the minimum session security requirement for NTLM SSP based clients." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0 value: NTLMMinClientSec data: 537395200 @@ -3270,7 +3270,7 @@ - V-220940 - name: "MEDIUM | WN10-SO-000220 | PATCH | The system must be configured to meet the minimum session security requirement for NTLM SSP based servers." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0 value: NTLMMinServerSec data: 537395200 @@ -3286,7 +3286,7 @@ - V-220941 - name: "MEDIUM | WN10-SO-000230 | PATCH | The system must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy value: Enabled data: 1 @@ -3302,7 +3302,7 @@ - V-220942 - name: "MEDIUM | WN10-SO-000245 | PATCH | User Account Control approval mode for the built-in Administrator must be enabled." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System value: FilterAdministratorToken data: 1 @@ -3318,7 +3318,7 @@ - V-220944 - name: "MEDIUM | WN10-SO-000250 | PATCH | User Account Control must, at minimum, prompt administrators for consent on the secure desktop." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System value: ConsentPromptBehaviorAdmin data: 2 @@ -3336,7 +3336,7 @@ - name: "MEDIUM | WN10-SO-000251 | PATCH | Windows 10 must use multifactor authentication for local and network access to privileged and non-privileged accounts." block: - name: "MEDIUM | WN10-SO-000251 | PATCH | Windows 10 must use multifactor authentication for local and network access to privileged and non-privileged accounts. | Warning Message." - debug: + ansible.builtin.debug: msg: "Warning!! You are not on a domain which means you should configure Windows Hello for sign on options would be suggested based on the organizations needs and capabilities." - name: "MEDIUM | WN10-SO-000251 | PATCH | Windows 10 must use multifactor authentication for local and network access to privileged and non-privileged accounts. | Warn Count." @@ -3355,7 +3355,7 @@ - V-220946 - name: "MEDIUM | WN10-SO-000255 | PATCH | User Account Control must automatically deny elevation requests for standard users." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System value: ConsentPromptBehaviorUser data: 0 @@ -3371,7 +3371,7 @@ - V-220947 - name: "MEDIUM | WN10-SO-000260 | PATCH | User Account Control must be configured to detect application installations and prompt for elevation." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System value: EnableInstallerDetection data: 1 @@ -3387,7 +3387,7 @@ - V-220948 - name: "MEDIUM | WN10-SO-000265 | PATCH | User Account Control must only elevate UIAccess applications that are installed in secure locations." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System value: EnableSecureUIAPaths data: 1 @@ -3403,7 +3403,7 @@ - V-220949 - name: "MEDIUM | WN10-SO-000270 | PATCH | User Account Control must run all administrators in Admin Approval Mode, enabling UAC." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System value: EnableLUA data: 1 @@ -3419,7 +3419,7 @@ - V-220950 - name: "MEDIUM | WN10-SO-000275 | PATCH | User Account Control must virtualize file and registry write failures to per-user locations." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System value: EnableVirtualization data: 1 @@ -3435,7 +3435,7 @@ - V-220951 - name: "MEDIUM | WN10-SO-000280 | PATCH | Passwords for enabled local Administrator accounts must be changed at least every 60 days." - win_security_policy: + community.windows.win_security_policy: section: System Access key: MaximumPasswordAge value: "{{ win10stig_max_pass_age }}" @@ -3450,7 +3450,7 @@ - V-220952 - name: "MEDIUM | WN10-UC-000020 | PATCH | Zone information must be preserved when saving attachments." - win_regedit: + ansible.windows.win_regedit: path: HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments value: SaveZoneInformation data: 2 @@ -3466,7 +3466,7 @@ - V-220955 - name: "MEDIUM | WN10-UR-000005 | PATCH | The Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts." - win_user_right: + ansible.windows.win_user_right: name: SeTrustedCredManAccessPrivilege users: [] when: @@ -3480,7 +3480,7 @@ - V-220956 - name: "MEDIUM | WN10-UR-000010 | PATCH | The Access this computer from the network user right must only be assigned to the Administrators and Remote Desktop Users groups." - win_user_right: + ansible.windows.win_user_right: name: SeNetworkLogonRight action: set users: @@ -3497,7 +3497,7 @@ - V-220957 - name: "MEDIUM | WN10-UR-000025 | PATCH | The Allow log on locally user right must only be assigned to the Administrators and Users groups." - win_user_right: + ansible.windows.win_user_right: name: SeInteractiveLogonRight action: set users: @@ -3514,7 +3514,7 @@ - V-220959 - name: "MEDIUM | WN10-UR-000030 | PATCH | The Back up files and directories user right must only be assigned to the Administrators group." - win_user_right: + ansible.windows.win_user_right: name: SeBackupPrivilege users: Administrators action: set @@ -3531,7 +3531,7 @@ - name: "MEDIUM | WN10-UR-000035 | PATCH | The Change the system time user right must only be assigned to Administrators and Local Service and NT SERVICE\autotimesvc." block: - name: "MEDIUM | WN10-UR-000035 | PATCH | The Change the system time user right must only be assigned to Administrators and Local Service and NT SERVICE\autotimesvc. | Set for Win 10 v1909 and newer" - win_user_right: + ansible.windows.win_user_right: name: SeSystemtimePrivilege action: set users: @@ -3541,7 +3541,7 @@ when: ansible_distribution_version >= "10.0.1909.0" - name: "MEDIUM | WN10-UR-000035 | PATCH | The Change the system time user right must only be assigned to Administrators and Local Service and NT SERVICE\autotimesvc." - win_user_right: + ansible.windows.win_user_right: name: SeSystemtimePrivilege action: set users: @@ -3559,7 +3559,7 @@ - V-220961 - name: "MEDIUM | WN10-UR-000040 | PATCH | The Create a pagefile user right must only be assigned to the Administrators group." - win_user_right: + ansible.windows.win_user_right: name: SeCreatePagefilePrivilege users: Administrators action: set @@ -3574,7 +3574,7 @@ - V-220962 - name: "MEDIUM | WN10-UR-000050 | PATCH | The Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service." - win_user_right: + ansible.windows.win_user_right: name: SeCreateGlobalPrivilege action: set users: @@ -3593,7 +3593,7 @@ - V-220964 - name: "MEDIUM | WN10-UR-000055 | PATCH | The Create permanent shared objects user right must not be assigned to any groups or accounts." - win_user_right: + ansible.windows.win_user_right: name: SeCreatePermanentPrivilege users: [] when: @@ -3607,7 +3607,7 @@ - V-220965 - name: "MEDIUM | WN10-UR-000060 | PATCH | The Create symbolic links user right must only be assigned to the Administrators group." - win_user_right: + ansible.windows.win_user_right: name: SeCreateSymbolicLinkPrivilege users: Administrators action: set @@ -3624,7 +3624,7 @@ - name: "MEDIUM | WN10-UR-000070 | PATCH | The Deny access to this computer from the network user right on workstations must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems." block: - name: "MEDIUM | WN10-UR-000070 | PATCH | The Deny access to this computer from the network user right on workstations must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems. | Domain member systems" - win_user_right: + ansible.windows.win_user_right: name: SeDenyNetworkLogonRight action: set users: @@ -3635,7 +3635,7 @@ when: ansible_windows_domain_member - name: "MEDIUM | WN10-UR-000070 | PATCH | The Deny access to this computer from the network user right on workstations must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems. | Non-Domain systems" - win_user_right: + ansible.windows.win_user_right: name: SeDenyNetworkLogonRight users: Guests action: set @@ -3651,7 +3651,7 @@ - V-220968 - name: "MEDIUM | WN10-UR-000075 | PATCH | The Deny log on as a batch job user right on domain-joined workstations must be configured to prevent access from highly privileged domain accounts." - win_user_right: + ansible.windows.win_user_right: name: SeDenyBatchLogonRight action: set users: @@ -3669,7 +3669,7 @@ - V-220969 - name: "MEDIUM | WN10-UR-000080 | PATCH | The Deny log on as a service user right on Windows 10 domain-joined workstations must be configured to prevent access from highly privileged domain accounts." - win_user_right: + ansible.windows.win_user_right: name: SeDenyServiceLogonRight users: - Enterprise Admin @@ -3689,7 +3689,7 @@ - name: "MEDIM | WN10-UR-000085 | PATCH | The Deny log on locally user right on workstations must be configured to prevent access from highly privileged domain accounts on domain systems and unauthenticated access on all systems." block: - name: "MEDIM | WN10-UR-000085 | PATCH | The Deny log on locally user right on workstations must be configured to prevent access from highly privileged domain accounts on domain systems and unauthenticated access on all systems. | Domain member systems" - win_user_right: + ansible.windows.win_user_right: name: SeDenyInteractiveLogonRight action: set users: @@ -3699,7 +3699,7 @@ when: ansible_windows_domain_member - name: "MEDIM | WN10-UR-000085 | PATCH | The Deny log on locally user right on workstations must be configured to prevent access from highly privileged domain accounts on domain systems and unauthenticated access on all systems. | Non-Domain systems" - win_user_right: + ansible.windows.win_user_right: name: SeDenyInteractiveLogonRight users: Guests action: set @@ -3717,7 +3717,7 @@ - name: "MEDIUM | WN10-UR-000090 | PATCH | The Deny log on through Remote Desktop Services user right on Windows 10 workstations must at a minimum be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems." block: - name: "MEDIUM | WN10-UR-000090 | PATCH | The Deny log on through Remote Desktop Services user right on Windows 10 workstations must at a minimum be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems. | Domain memeber systems" - win_user_right: + ansible.windows.win_user_right: name: SeDenyRemoteInteractiveLogonRight action: set users: @@ -3728,7 +3728,7 @@ when: ansible_windows_domain_member - name: "MEDIUM | WN10-UR-000090 | PATCH | The Deny log on through Remote Desktop Services user right on Windows 10 workstations must at a minimum be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems. | Non-Domain systems" - win_user_right: + ansible.windows.win_user_right: name: SeDenyRemoteInteractiveLogonRight users: Guests action: set @@ -3745,7 +3745,7 @@ - V-220972 - name: "MEDIUM | WN10-UR-000095 | PATCH | The Enable computer and user accounts to be trusted for delegation user right must not be assigned to any groups or accounts." - win_user_right: + ansible.windows.win_user_right: name: SeEnableDelegationPrivilege users: [] when: @@ -3759,7 +3759,7 @@ - V-220973 - name: "MEDIUM | WN10-UR-000100 | PATCH | The Force shutdown from a remote system user right must only be assigned to the Administrators group." - win_user_right: + ansible.windows.win_user_right: name: SeRemoteShutdownPrivilege users: Administrators action: set @@ -3774,7 +3774,7 @@ - V-220974 - name: "MEDIUM | WN10-UR-000110 | PATCH | The Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service." - win_user_right: + ansible.windows.win_user_right: name: SeImpersonatePrivilege action: set users: @@ -3793,7 +3793,7 @@ - V-220975 - name: "MEDIUM | WN10-UR-000120 | PATCH | The Load and unload device drivers user right must only be assigned to the Administrators group." - win_user_right: + ansible.windows.win_user_right: name: SeLoadDriverPrivilege users: Administrators action: set @@ -3808,7 +3808,7 @@ - V-220976 - name: "MEDIUM | WN10-UR-000125 | PATCH | The Lock pages in memory user right must not be assigned to any groups or accounts." - win_user_right: + ansible.windows.win_user_right: name: SeLockMemoryPrivilege action: set users: [] @@ -3823,7 +3823,7 @@ - V-220977 - name: "MEDIUM | WN10-UR-000130 | PATCH | The Manage auditing and security log user right must only be assigned to the Administrators group." - win_user_right: + ansible.windows.win_user_right: name: SeSecurityPrivilege users: Administrators action: set @@ -3842,7 +3842,7 @@ - V-220978 - name: "MEDIUM | WN10-UR-000140 | PATCH | The Modify firmware environment values user right must only be assigned to the Administrators group." - win_user_right: + ansible.windows.win_user_right: name: SeSystemEnvironmentPrivilege users: Administrators action: set @@ -3857,7 +3857,7 @@ - V-220979 - name: "MEDIUM | WN10-UR-000145 | PATCH | The Perform volume maintenance tasks user right must only be assigned to the Administrators group." - win_user_right: + ansible.windows.win_user_right: name: SeManageVolumePrivilege users: Administrators action: set @@ -3872,7 +3872,7 @@ - V-220980 - name: "MEDIUM | WN10-UR-000150 | PATCH | The Profile single process user right must only be assigned to the Administrators group." - win_user_right: + ansible.windows.win_user_right: name: SeProfileSingleProcessPrivilege users: Administrators action: set @@ -3887,7 +3887,7 @@ - V-220981 - name: "MEDIUM | WN10-UR-000160 | PATCH | The Restore files and directories user right must only be assigned to the Administrators group." - win_user_right: + ansible.windows.win_user_right: name: SeRestorePrivilege users: Administrators action: set @@ -3902,7 +3902,7 @@ - V-220982 - name: "MEDIUM | WN10-UR-000165 | PATCH | The Take ownership of files or other objects user right must only be assigned to the Administrators group." - win_user_right: + ansible.windows.win_user_right: name: SeTakeOwnershipPrivilege users: Administrators action: set @@ -3917,7 +3917,7 @@ - V-220983 - name: "MEDIUM | WN10-CC-000327 | PATCH | PowerShell Transcription must be enabled on Windows 10." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription value: EnableTranscripting data: 1 diff --git a/tasks/cat3.yml b/tasks/cat3.yml index cf22e04..89f8c1e 100644 --- a/tasks/cat3.yml +++ b/tasks/cat3.yml @@ -3,27 +3,27 @@ - name: "LOW | WN10-00-000020 | AUDIT | Secure Boot must be enabled on Windows 10 systems." block: - name: "LOW | WN10-00-000020 | AUDIT | Secure Boot must be enabled on Windows 10 systems. | Check secure boot." - win_shell: Confirm-SecureBootUEFI + ansible.windows.win_shell: Confirm-SecureBootUEFI changed_when: false failed_when: false register: wn10_00_000020_secure_boot_audit - name: "LOW | WN10-00-000020 | AUDIT | Secure Boot must be enabled on Windows 10 systems. | Virtual System Check." - debug: + ansible.builtin.debug: msg: - "Warning!! Your running a virtual system that does not support Secure Boot." - "Please take note for audit purposes and verify it is compliant with sites policies to be STIG compliant." when: "'undefined' in wn10_00_000020_secure_boot_audit.stderr | string" - name: "LOW | WN10-00-000020 | AUDIT | Secure Boot must be enabled on Windows 10 systems. | Hardware Not supported Check." - debug: + ansible.builtin.debug: msg: - "Warning!! Your computers hardware does not support Secure Boot." - "Please take note for audit purposes and verify it is compliant with sites policies to be STIG compliant." when: "'CMdlet' in wn10_00_000020_secure_boot_audit.stderr | string" - name: "LOW | WN10-00-000020 | AUDIT | Secure Boot must be enabled on Windows 10 systems. | Secure Boot Set To Disabled." - debug: + ansible.builtin.debug: msg: - "Warning!! Secure Boot is set to DISABLED." - "Please take note for audit purposes and verify it is compliant with sites policies to be STIG compliant." @@ -50,13 +50,13 @@ - name: "LOW | WN10-00-000065 | AUDIT | Unused accounts must be disabled or removed from the system after 35 days of inactivity." block: - name: "LOW | WN10-00-000065 | AUDIT | Unused accounts must be disabled or removed from the system after 35 days of inactivity. | Powershell To Get Accounts." - win_shell: Get-LocalUser | Where-Object {$_.Lastlogon -le (Get-Date).AddDays(-35)} | Select-Object Name, Enabled, Lastlogon | Format-Table -AutoSize + ansible.windows.win_shell: Get-LocalUser | Where-Object {$_.Lastlogon -le (Get-Date).AddDays(-35)} | Select-Object Name, Enabled, Lastlogon | Format-Table -AutoSize changed_when: false failed_when: false register: wn10_00_000065_user_local_accounts - name: "LOW | WN10-00-000065 | AUDIT | Unused accounts must be disabled or removed from the system after 35 days of inactivity. | Print Results." - debug: + ansible.builtin.debug: msg: - "Warning!! Review the list below and make sure it meets site policies." - "The list below includes all accounts that have not been logged into for the last 35 days, those unused accounts" @@ -81,13 +81,13 @@ - name: "LOW | WN10-00-000085 | AUDIT | Standard local user accounts must not exist on a system in a domain." block: - name: "LOW | WN10-00-000085 | AUDIT | Standard local user accounts must not exist on a system in a domain. | Get Local Users list" - win_shell: get-localuser | Where-Object -Property Enabled -eq True | Select-Object -Property Name | format-table -hidetableheaders + ansible.windows.win_shell: get-localuser | Where-Object -Property Enabled -eq True | Select-Object -Property Name | format-table -hidetableheaders changed_when: false failed_when: false register: wn10_00_000085_local_users - name: "LOW | WN10-00-000085 | AUDIT | Standard local user accounts must not exist on a system in a domain. | Show Local Users list" - debug: + ansible.builtin.debug: msg: - "Warning!! Below are the local users that are not built in accounts and enabled." - "Please review and remove these local accounts, only AD logins should be occuring." @@ -109,7 +109,7 @@ - V-220715 - name: "LOW | WN10-CC-000030 | PATCH | The system must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF) generated routes." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters value: EnableICMPRedirect state: present @@ -126,7 +126,7 @@ - V-220797 - name: "LOW | WN10-CC-000035 | PATCH | The system must be configured to ignore NetBIOS name release requests except from WINS servers." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\Netbt\Parameters value: NoNameReleaseOnDemand state: present @@ -143,7 +143,7 @@ - V-220798 - name: "LOW | WN10-CC-000070 | PATCH | Virtualization Based Security must be enabled on Windows 10 with the platform security level configured to Secure Boot or Secure Boot with DMA Protection" - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard value: "{{ item }}" state: present @@ -163,7 +163,7 @@ - V-220811 - name: "LOW | WN10-CC-000170 | PATCH | The setting to allow Microsoft accounts to be optional for modern style apps must be enabled" - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System value: MSAOptional state: present @@ -180,7 +180,7 @@ - V-220825 - name: "LOW | WN10-CC-000175 | PATCH | The Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppCompat value: DisableInventory state: present @@ -197,7 +197,7 @@ - V-220826 - name: "LOW | WN10-CC-000197 | PATCH | Microsoft consumer experiences must be turned off." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\CloudContent value: DisableWindowsConsumerFeatures state: present @@ -216,7 +216,7 @@ - name: "LOW | WN10-CC-000206 | PATCH | Windows Update must not obtain updates from other PCs on the Internet." block: - name: "LOW | WN10-CC-000206 | PATCH | Windows Update must not obtain updates from other PCs on the Internet. | On a domain" - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization value: DODownloadMode state: present @@ -225,7 +225,7 @@ when: ansible_windows_domain_member - name: "LOW | WN10-CC-000206 | AUDIT | Windows Update must not obtain updates from other PCs on the Internet. | Warning For Domain Based System v1507 LTSB." - debug: + ansible.builtin.debug: msg: "Warning!! You Are Version v1507 LTSB which only is STIG compliant when you use use 0 or 1 in the win10stig_dodownloadmod_domain setting." when: - ansible_windows_domain_member @@ -243,7 +243,7 @@ - win10_displayversion.value == '1507' - name: "LOW | WN10-CC-000206 | PATCH | Windows Update must not obtain updates from other PCs on the Internet. | Stand-alone" - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization value: DODownloadMode state: present @@ -261,7 +261,7 @@ - V-220835 - name: "LOW | WN10-CC-000220 | PATCH | Turning off File Explorer heap termination on corruption must be disabled." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer value: NoHeapTerminationOnCorruption state: present @@ -278,7 +278,7 @@ - V-220838 - name: "LOW | WN10-CC-000390 | PATCH | Windows 10 should be configured to prevent users from receiving suggestions for third-party or additional applications." - win_regedit: + ansible.windows.win_regedit: path: HKCU:\SOFTWARE\Policies\Microsoft\Windows\CloudContent value: DisableThirdPartySuggestions state: present @@ -295,7 +295,7 @@ - V-220872 - name: "LOW | WN10-SO-000050 | PATCH | The computer account password must not be prevented from being reset." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters value: DisablePasswordChange state: present @@ -312,7 +312,7 @@ - V-220917 - name: "LOW | WN10-SO-000055 | PATCH | The maximum age for machine account passwords must be configured to 30 days or less." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters value: MaximumPasswordAge state: present @@ -328,7 +328,7 @@ - V-220918 - name: "LOW | WN10-SO-000080 | PATCH | The Windows dialog box title for the legal banner must be configured." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System value: LegalNoticeCaption state: present @@ -350,7 +350,7 @@ - V-220922 - name: "LOW | WN10-SO-000085 | PATCH | Caching of logon credentials must be limited." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon value: CachedLogonsCount state: present @@ -367,7 +367,7 @@ - V-220923 - name: "LOW | WN10-SO-000240 | PATCH | The default permissions of global system objects must be increased." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager value: ProtectionMode state: present @@ -384,7 +384,7 @@ - V-220943 - name: "LOW | WN10-UC-000015 | PATCH | Toast notifications to the lock screen must be turned off." - win_regedit: + ansible.windows.win_regedit: path: HKCU:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications value: NoToastApplicationNotificationOnLockScreen state: present @@ -401,7 +401,7 @@ - V-220954 - name: "LOW | WN10-CC-000080 | PATCH | Virtualization-based protection of code integrity must be enabled.." - win_regedit: + ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\ value: HypervisorEnforcedCodeIntegrity state: present diff --git a/tasks/main.yml b/tasks/main.yml index ceb590e..c98cafc 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,7 +1,7 @@ --- - name: Gather distribution info - setup: + ansible.builtin.setup: gather_subset: distribution,!all,!min when: - ansible_distribution is not defined @@ -9,7 +9,7 @@ - always - name: Check OS version and family - assert: + ansible.builtin.assert: that: - ansible_os_family == 'Windows' - ansible_distribution | regex_search('(Microsoft Windows 10)') @@ -19,50 +19,50 @@ - always - name: Get Disk Facts - win_disk_facts: + community.windows.win_disk_facts: when: - wn10_00_000050 or wn10_00_000130 - name: Check ansible version - assert: + ansible.builtin.assert: that: ansible_version.full is version_compare(win10stig_min_ansible_version, '>=') msg: You must use Ansible {{ win10stig_min_ansible_version }} or greater tags: - always - name: Include the preliminary tasks - include_tasks: prelim.yml + ansible.builtin.include_tasks: prelim.yml tags: - prelim_tasks - name: Execute the category 1 (highest severity) tasks - import_tasks: cat1.yml + ansible.builtin.import_tasks: cat1.yml when: win10stig_cat1_patch | bool tags: - cat1 - high - name: Execute the category 2 (medium severity) tasks - import_tasks: cat2.yml + ansible.builtin.import_tasks: cat2.yml when: win10stig_cat2_patch | bool tags: - cat2 - medium - name: Execute the category 3 (lowest severity) tasks - import_tasks: cat3.yml + ansible.builtin.import_tasks: cat3.yml when: win10stig_cat3_patch | bool tags: - cat3 - low - name: Reboot system after running - win_reboot: + ansible.windows.win_reboot: when: win10stig_always_reboot - name: If Warnings found Output count and control IDs affected - debug: + ansible.builtin.debug: msg: - "You have {{ warn_count }} Warning(s) that require investigation(s). Their ID’s are listed below:" - "{{ warn_control_list }}" diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 1aa3b77..98abf5f 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -19,7 +19,7 @@ # - always - name: "PRELIM | Get Display Version value." - win_reg_stat: + ansible.windows.win_reg_stat: path: HKLM:\Software\Microsoft\Windows NT\CurrentVersion name: DisplayVersion changed_when: false @@ -27,16 +27,15 @@ register: win10_displayversion - name: "PRELIM | Get OS Build value." - win_reg_stat: + ansible.windows.win_reg_stat: path: HKLM:\Software\Microsoft\Windows NT\CurrentVersion name: CurrentBuild changed_when: false failed_when: false register: win10_currentbuild - - name: "PRELIM | Get Admin Users and Groups" - win_shell: Get-LocalGroupMember -Name 'Administrators' + ansible.windows.win_shell: Get-LocalGroupMember -Name 'Administrators' changed_when: false failed_when: false register: wn10stig_admin_users_groups diff --git a/tasks/warning_facts.yml b/tasks/warning_facts.yml index 37d04fa..37560bd 100644 --- a/tasks/warning_facts.yml +++ b/tasks/warning_facts.yml @@ -15,6 +15,6 @@ # warn_count the main variable for the number of warnings and each time a warn_control_id is added # the count increases by a value of 1 - name: "NO CONTROL ID | AUDIT | Set fact for manual task warning." - set_fact: + ansible.builtin.set_fact: warn_control_list: "{{ warn_control_list }} [{{ warn_control_id }}]" warn_count: "{{ warn_count | int + 1 }}"