Releases: ansible-lockdown/Windows-2022-CIS
Benchmark V3.0.0 CIS
Based on Windows Server 2022 CIS V3.0.0
What's Changed
‼️ Be aware there were major changes to this release. The entire structure of the playbook has changed with many new additions. ‼️
- New Addition for creation of GPOs based on our Ansible Remediation.
- 2024 Feb Update: Bug and Typo Fixes by @frederickw082922 in #29
- 2024 March Bug fixes for Cloud VM logic on section 1.2.x, Improved Reboot Handler and SID Logic Improvement by @frederickw082922 in #31
- Only applies to Azure by @mfortin in #34
- Fix 18.10.82.1 by @SwaffelSmurf in #35
- Addressing issue #36 by @mfortin in #37
- 2024 April Update: Fix from Issue #32 by @frederickw082922 in #40
- Issue 38 by @mfortin in #43
- Update control 1.1.6 by @mfortin in #44
- Fixing issue #46 by @mfortin in #47
- PR And Issue Fixes by @MrSteve81 in #54
- CIS V3.0.0 Release by @MrSteve81 in #57
New Contributors
- @mfortin made their first contribution in #34
- @SwaffelSmurf made their first contribution in #35
- @MrSteve81 made their first contribution in #54
Full Changelog: 2.0.0...3.0.0
Contributors
Assets 2
Benchmark 2.0.0 Updates
CIS Version: 2.0.0
CIS Version Release Benchmark v2.0.0 - 04-14-2023
ADD - 18.9.13 (L2) Ensure 'Turn off cloud optimized content' is set to 'Enabled'
UPDATE - 18.9.89 (L1) 'Allow Windows Ink Workspace' TO 'Enabled: On, but disallow access above lock' OR 'Enabled:
UPDATE - Section changes from Windows 11 Release 22H2 Administrative Templates
UPDATE – 18.10.87 (L1) 'Turn on PowerShell Transcription' is set to 'Disabled' TO 'Enabled'
ADD - 1.2 (L1) Ensure 'Allow Administrator account lockout' is set to 'Enabled'
REMOVE - 2.3.1 (L1) Ensure 'Accounts: Administrator account status' is set to 'Disabled'
ADD - 18.4 (L1) Ensure 'Configure RPC packet level privacy setting for incoming connections' is set to 'Enabled'
MOVE - 18.4 (L1) Ensure 'Limits print driver installation to Administrators' is set to 'Enabled' TO 18.7
ADD - 18.6.4 (L1) Ensure 'Configure NetBIOS settings' is set to 'Enabled: Disable NetBIOS name resolution on public networks'
ADD - 18.7 (L1) Ensure 'Configure Redirection Guard' is set to 'Enabled: Redirection Guard Enabled'
ADD - 18.7 (L1) Ensure 'Configure RPC connection settings: Protocol to use for outgoing RPC connections' is set to 'Enabled: RPC over TCP'
ADD - 18.7 (L1) Ensure 'Configure RPC connection settings: Use authentication for outgoing RPC connections' is set to 'Enabled: Default'
ADD - 18.7 (L1) Ensure 'Configure RPC listener settings: Protocols to allow for incoming RPC connections' is set to 'Enabled: RPC over TCP'
ADD - 18.7 (L1) Ensure 'Configure RPC listener settings: Authentication protocol to use for incoming RPC connections' is set to 'Enabled: Negotiate' or higher
ADD - 18.7 (L1) Ensure 'Manage processing of Queue- specific files' is set to 'Enabled: Limit Queue-specific files to Color profiles'
ADD - 18.9.25 (L1) Ensure 'Allow Custom SSPs and APs to be loaded into LSASS' is set to 'Disabled'
Ticket #17580
ADD - 18.9.25 (NG) Ensure 'Configures LSASS to run as a protected process' is set to 'Enabled: Enabled with UEFI Lock'
ADD - 18.10.17 (L1) Ensure 'Enable App Installer' is set to 'Disabled'
ADD - 18.10.17 (L1) Ensure 'Enable App Installer Experimental Features' is set to 'Disabled'
ADD - 18.10.17 (L1) Ensure 'Enable App Installer Hash Override' is set to 'Disabled'
ADD - 18.10.17 (L1) Ensure 'Enable App Installer ms- appinstaller protocol' is set to 'Disabled'
UPDATE - 18.10.43.6.1 (L1) Ensure 'Configure Attack Surface Reduction rules' with additional ASR rule for "Block abuse of exploited vulnerable signed drivers"
ADD - 18.10.57.3.3 (L2) Ensure 'Do not allow WebAuthn redirection' is set to 'Enabled'
ADD - 18.10.59 (L2) Ensure 'Allow search highlights' is set to 'Disabled'
ADD - 18.10.82 (L1) Ensure 'Enable MPR notifications for the system' is set to 'Disabled'
ADD - 18.7 (L1) Ensure 'Configure RPC over TCP port' is set to 'Enabled: 0'
1.0.0
CIS Version: 1.0.0
CIS Version Release Date: 02-14-2022