• name: "SCORED | 18.5.21.1 | PATCH | L1 Ensure Minimize the number of simultaneous connections to the Internet or a Windows Domain is set to Enabled"
  win_regedit:
  path: HKLM:\Software\Policies\Microsoft\Windows\Wcmsvc\Grouppolicy
  name: fMinimizeConnections
  data: 3
  type: dword
  when:
  • rule_18_5_21_1
    tags:
  • level1-domaincontroller
  • level1-memberserver
  • rule_18.5.21.1
  • patch

Describe the Issue

When I run the role, I receive the following message:

`TASK [Windows-2019-CIS : Include the preliminary tasks] ***********************************************************************************************************************************************************************************************************************
included: /home/azureuser/github/projekt_AnsibleLernen/azurelab/roles/Windows-2019-CIS/tasks/prelim.yml for apc000060002

TASK [Windows-2019-CIS : Set fact is system is standalone] ********************************************************************************************************************************************************************************************************************
fatal: [apc000060002]: FAILED! =>
msg: |-
The conditional check 'ansible_windows_domain_role == 'Stand-alone server'' failed. The error was: error while evaluating conditional (ansible_windows_domain_role == 'Stand-alone server'): 'ansible_windows_domain_role' is undefined

The error appears to be in '/home/azureuser/github/projekt_AnsibleLernen/azurelab/roles/Windows-2019-CIS/tasks/prelim.yml': line 5, column 9, but may
be elsewhere in the file depending on the exact syntax problem.

The offending line appears to be:

  block:
      - name: Set fact is system is standalone
        ^ here`

The offending line appears to be:

  block:
      - name: Set fact is system is standalone
        ^ here`

Expected Behavior
The task should process correctly for a domain joined machine

Actual Behavior
A clear and concise description of what's happening.

Control(s) Affected
What controls are being affected by the issue

Environment (please complete the following information):

• git branch: [e.g devel]
• Ansible Version: [e.g. 2.10]
• Host Python Version: [e.g. Python 3.7.6]
• Ansible Server Python Version: [e.g. Python 3.7.6]
• Additional Details:

Additional Notes
am I doing something wrong ? thanks for the ti

Possible Solution
Enter a suggested fix here

The control check the data 1 instead of 0

• name: "SCORED | 9.3.5 | PATCH | (L1) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'"
  win_regedit:
  path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile
  name: AllowLocalPolicyMerge
  data: 0
  type: dword
  when:
  • rule_9_3_5
  • not win_skip_for_test
    tags:
  • level1-domaincontroller
  • level1
  • rule_9.3.5
  • patch

An exception occurred during task execution. To see the full traceback, use -vvv. The error was: at System.Management.Automation.CommandProcessor.Read()
fatal: [w2019]: FAILED! => {"changed": false, "msg": "Unhandled exception while executing module: Cannot bind argument to parameter 'InputObject' because it is an empty string."}

Controls impacted:
2.2.1
2.2.4
2.2.14
2.2.16
2.2.28
2.2.35
2.2.39

• name: "SCORED | 9.1.4 | PATCH | (L1) Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'"
  win_regedit:
  path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
  name: DisableNotifications
  data: 1
  type: dword
  when:
  • rule_9_1_4
    tags:
  • level1-domaincontroller
  • level1
  • rule_9.1.4
  • patch

      - name: " 17.5.4 | PATCH | L1 | Ensure Audit Logon is set to Success and Failure | Success"
        win_shell: AuditPol /set /subcategory:"Logon" /success:enable
        when: "'Failure' not in rule_17_5_4_audit.stdout"

Should read:

      - name: " 17.5.4 | PATCH | L1 | Ensure Audit Logon is set to Success and Failure | Success"
        win_shell: AuditPol /set /subcategory:"Logon" /success:enable
        when: "'Success' not in rule_17_5_4_audit.stdout"

wrong level for the control 18.5.10.2 , it's normally a L2 but the tag is with L1

• name: "SCORED | 18.5.10.2 | PATCH | L2 Ensure Turn off Microsoft Peer-to-Peer Networking Services is set to Enabled"
  win_regedit:
  path: HKLM:\Software\Policies\Microsoft\Peernet
  name: Disabled
  data: 1
  type: dword
  when:
  - rule_18_5_10_2
  tags:
  - level1-domaincontroller
  - level1-memberserver
  - rule_18.5.10.2
  - patch

Describe the Issue
If manually set using GPEDIT correct value is 0

Expected Behavior
value set to 0

Actual Behavior
value set to 1

Control(s) Affected
"18.6.4.2 | PATCH | Ensure Turn off multicast name resolution is set to Enabled MS Only | Member Server"

Environment (please complete the following information):

• branch being used: [devel]

Possible Solution
- name: "18.6.4.2 | PATCH | Ensure Turn off multicast name resolution is set to Enabled MS Only | Member Server"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient
name: EnableMulticast
data: 0
type: dword
when:
- win19cis_rule_18_6_4_2
- win2019cis_is_domain_member
tags:
- level1-domaincontroller
- level1-memberserver
- rule_18.6.4.3
- patch
- dns

Control check

• name: "SCORED | 18.3.6 | PATCH | L1 Ensure 'NetBT NodeType configuration' is set to 'Enabled: P-node recommended'"
  win_regedit:
  path: HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters
  state: present
  name: NodeType
  value: 2"
  datatype: dword
  when:
  • rule_18_3_6
    tags:
  • level1-domaincontroller
  • level1-memberserver
  • rule_18.3.6
  • patch

The control need to be implement

 win_regedit:
    path: HKLM:\Software\Policies\Microsoft\InputPersonalization
    name: "AllowInputPersonalization"
    data: "0"
    type: dword

• name: "SCORED | 2.3.6.4 | PATCH | L1 Ensure Domain member Disable machine account password changes is set to Disabled"
  win_regedit:
  path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters
  name: disablepasswordchange
  data: 0
  type: dword
  when:
  • rule_2_3_6_4
  • not ansible_windows_domain_role == "Primary domain controller"
    tags:
  • level1-domaincontroller
  • level1-memberserver
  • rule_2.3.6.4
  • patch

Hi,

the section 9 (windows firewall) is missing, it’s normal ?

Thanks

name: "SCORED | 2.3.6.4 | PATCH | L1 Ensure Domain member Disable machine account password changes is set to Disabled"
win_regedit:
path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters
name: disablepasswordchange
data: 0
type: dword
when:
rule_2_3_6_4
not ansible_windows_domain_role == "Primary domain controller"
tags:
level1-domaincontroller
level1-memberserver
rule_2.3.6.4
patch

https://github.com/ansible-lockdown/Windows-2019-CIS/blob/devel/tasks/section02.yml#L703

value: GeorgeSharp instead of value: '{{ newadministratorname }}'

https://github.com/ansible-lockdown/Windows-2019-CIS/blob/devel/tasks/section02.yml#L721

value: BobCooper instead of value: '{{ renamedguest}}'

Not sure why but the control 18.8.28.4 is not executed

Tags looks ok, and the task is in the maln

Really not sure why ....

TASK [/tmp/awx_1138__8s1zfze/project : SCORED | 18.8.28.3 | PATCH | L1 Ensure Do not enumerate connected users on domain-joined computers is set to Enabled] ***
ok: [***************]

TASK [/tmp/awx_1138__8s1zfze/project : SCORED | 18.8.28.5 | PATCH | L1 Ensure Turn off app notifications on the lock screen is set to Enabled] ***
ok: [**************]

Hello,
I wanted to give an update on a tagging change that will take place on the next release, scheduled at some point in May. Without realizing that Ansible Galaxy needs version numbers in the Semantic format that excludes the preceding “v”, for example 1.2.1 vs v1.2., we have been using tags with the preceding v. This has caused our galaxy space to not update with our latest releases.

The plan going forward we plan to adjust the version number formatting on the first release for each repo in May. Please make note that if you are relying on release tags to keep up with latest versions, the numbering format will change. The cadence of the version numbers will continue and progress through as they have been, however the preceding “v” will be dropped from the tag.

George

Describe the Issue
If manually set using GPEDIT correct value is 0

Expected Behavior
value set to 0

Actual Behavior
value set to 1

Control(s) Affected
Rule 18.9.50.1.2 (L2) Ensure 'Enable Windows NTP Server' is set to 'Disabled' (MS only)

Environment (please complete the following information):

• branch being used: devel

Possible Solution

• name: "18.9.50.1.2 | PATCH | Ensure Enable Windows NTP Server is set to Disabled MS only | Member Server"
  ansible.windows.win_regedit:
  path: HKLM:\Software\Policies\Microsoft\W32Time\Timeproviders\Ntpserver
  name: Enabled
  data: 0
  type: dword
  when:
  - win19cis_rule_18_9_50_1_2
  - win2019cis_is_domain_member
  tags:
  - level2-memberserver
  - rule_18.9.50.1.2
  - patch
  - ntp

• name: "SCORED | 18.8.28.4 | PATCH | L1 Ensure Enumerate local users on domain-joined computers is set to Disabled MS only"
  win_regedit:
  path: HKLM:\Software\Policies\Microsoft\Windows\System
  name: EnumerateLocalUsers
  data: 0
  type: String
  when:
  • rule_18_8_28_4
    tags:
  • level1-memberserver
  • rule_18.8.28.4
  • patch

• name: "SCORED | 18.9.26.1.1 | PATCH | L1 Ensure Application Control Event Log behavior when the log file reaches its maximum size is set to Disabled"
  win_regedit:
  path: HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application
  name: Retention
  data: 0
  type: string
  when:
  • rule_18_9_26_1_1
    tags:
  • level1-domaincontroller
  • level1-memberserver
  • rule_18.9.26.1.1
  • patch

• name: "SCORED | 18.9.77.13.3.1 | PATCH | L1 Ensure Prevent users and apps from accessing dangerous websites is set to Enabled Block"
  win_regedit:
  path: HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection
  name: EnableNetworkProtection
  data: 1
  type: dword
  when:
  • rule_18_9_77_13_3_1
    tags:
  • level1-domaincontroller
  • level1-memberserver
  • rule_18.9.77.13.3.1
  • patch

The control have the wrong tags

• level2-domaincontroller
  • level2-memberserver
  • rule_18.9.59.3.11.1

It's a CIS Level1 control

This part is failing in a guest server part of the domain

TASK [./roles/Windows-2019-CIS/ : 2.2.22 | PATCH | Ensure Deny log on as a batch job to include Guests] *************************************************************************************************
fatal: [MNGITBCS02]: UNREACHABLE! => {"changed": false, "msg": "ntlm: the specified credentials were rejected by the server", "unreachable": true}

Describe the Issue
Section 18.3.x Missing Variables in Defaults

Expected Behavior
Variable in the defaults main.yml for
win19cis_laps_password_length
win19cis_laps_password_age_days

Actual Behavior
missing variable causing code to error out

Control(s) Affected
Rule 18.3.5
Rule 18.3.6

Environment (please complete the following information):

• branch being used: devel (but checked main same missing variable)
• Ansible Version: 2.14.2
• Host Python Version: 3.6.8
• Ansible Server Python Version: 3.11.2

Additional Notes
Anything additional goes here

Possible Solution
add variable to main.yml in the defaults folder

Describe the Issue

When executing the playbook with -t level1-memberserver, the file prelim.yml is skipped because the include task in main.yml it isn't tagged - always, but rather tagged prelim_tasks.

- name: Include the preliminary tasks
  ansible.builtin.include_tasks: prelim.yml
  tags:
      - prelim_tasks

Skipping the tasks in this file, causes the variable windows_installation_type to not be defined and the playbook fails on 2.2.33 | PATCH | Ensure Increase scheduling priority is set to Administrators Window ManagerWindow Manager Group during a lookup of that variable.

The workaround for this is to run the playbook with -t level1-memberserver,prelim_tasks,untagged. It's necessary to add untagged because the tasks in the prelim.yml file are not tagged, so while -t level1-memberserver,prelim_tasks will include the file, it won't run any tasks within the file.

Expected Behavior

Using a tag in the playbook execution shouldn't exclude tasks in prelim.yml

Actual Behavior**

TASK [/home/user1/ansible/Windows-2019-CIS : 2.2.33 | PATCH | Ensure Increase scheduling priority is set to Administrators Window ManagerWindow Manager Group] *************************
fatal: [192.168.93.131]: FAILED! => {"msg": "The task includes an option with an undefined variable. The error was: {{ [\"Administrators\"] if (windows_installation_type==\"Server Core\") else ([\"Administrators\",\"Window Manager\\Window Manager Group\"]) }}: 'windows_installation_type' is undefined. 'windows_installation_type' is undefined. {{ [\"Administrators\"] if (windows_installation_type==\"Server Core\") else ([\"Administrators\",\"Window Manager\\Window Manager Group\"]) }}: 'windows_installation_type' is undefined. 'windows_installation_type' is undefined\n\nThe error appears to be in '/home/user1/ansible/Windows-2019-CIS/tasks/section02.yml': line 490, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n- name: \"2.2.33 | PATCH | Ensure Increase scheduling priority is set to Administrators Window ManagerWindow Manager Group\"\n  ^ here\n"}

Environment (please complete the following information)

• Ansible Version: 2.14.4
• Host Python Version: 3.9.16
• Ansible Server Python Version: 3.9.16
• Target server details: Windows Server 2019
• Additional Details:

Additional Notes

Anything additional goes here

Possible Solution

Not sure if there are use cases where you wouldn't want the prelim tasks tasks to run, but if there aren't any, tasks in prelim.yml should be tagged - always

18.4.11: tagged as level 1, should be level 2
18.5.10.2: tagged as level 1, should be level 2
18.8.22.1.2: tagged as level 1, should be level 2

The 2019 repo uses the 2016 Windows guide.
https://github.com/ansible-lockdown/Windows-2019-CIS

Based on [CIS Microsoft Windows Server 2019 Benchmark v1.3.0 - 03-18-2022](https://learn.cisecurity.org/l/799323/2022-03-15/rshpk)

But that link takes you to download CIS_Microsoft_Windows_Server_2016_Benchmark_v1.4.0.pdf

This in itself is not a big deal, but... The rest of the lockdown playbook uses the 2016 guide, not the 2019 guide.

For instance:

https://github.com/ansible-lockdown/Windows-2019-CIS/blob/devel/tasks/section01.yml
- name: "1.1.6 | PATCH | Ensure Store passwords using reversible encryption is set to Disabled"

Which is what CIS Windows 2016 has:

But CIS Windows 2019 is different:

Hi,

To enable the firewall you are using the :

win_firewall:
state: enabled
profile: Private

But CIS tool is checking for the registry key,

To alvoid false positive should you not use :

   path: HKLM:\Software\Policies\Microsoft\Windowsfirewall\Domainprofile
    name: "EnableFirewall"
    data: "1"
    type: dword

?

• name: "SCORED | 18.8.28.4 | PATCH | L1 Ensure Enumerate local users on domain-joined computers is set to Disabled MS only"
  win_regedit:
  path: HKLM:\Software\Policies\Microsoft\Windows\System
  name: EnumerateLocalUsers
  data: 0
  type: dword
  when:
  • rule_18_8_28_4
    tags:
  • level1-memberserver
  • rule_18.8.28.4
  • patch

• name: "SCORED | 18.9.26.3.1 | PATCH | L1 Ensure Setup Control Event Log behavior when the log file reaches its maximum size is set to Disabled"
  win_regedit:
  path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Setup
  name: Retention
  data: 0
  type: string
  when:
  • rule_18_9_26_3_1
    tags:
  • level1-domaincontroller
  • level1-memberserver
  • rule_18.9.26.3.1
  • patch

Describe the Issue
GUID 56a863a9-875e-4185-98a7-b882c64b5ce5 is missing

Expected Behavior
add GUID if missing from registry

Actual Behavior
missing from code

Control(s) Affected
18.10.43.6.1.2

Environment (please complete the following information):

• branch being used: devel

Possible Solution
loop:
- 26190899-1602-49e8-8b27-eb1d0a1ce869
- 3b576869-a4ec-4529-8536-b80a7769e899
- 56a863a9-875e-4185-98a7-b882c64b5ce5
- 5beb7efe-fd9a-4556-801d-275e5ffc04cc
- 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84
- 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
- 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b
- 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
- b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
- be9ba2d9-53ea-4cdc-84e5-9b1eeee46550
- d3e037e1-3eb8-44c8-a917-57927947596d
- d4f940ab-401b-4efc-aadc-ad5f3c50688a
- e6db77e5-3df2-4cf1-b95a-636979351e5b

TASK [/Users/brennans/Desktop/Work_Dir/win-2k19-cis : SCORED | 18.9.84.2 | PATCH | L1 Ensure Allow Windows Ink Workspace is set to Enabled On but disallow access above lock OR Disabled but not Enabled On] ***
fatal: [default]: FAILED! => {"msg": "The conditional check 'rule_18_9_84_2' failed. The error was: error while evaluating conditional (rule_18_9_84_2): 'rule_18_9_84_2' is undefined\n\nThe error appears to be in '/Users/brennans/Desktop/Work_Dir/win-2k19-cis/tasks/section18.yml': line 2312, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n- name: "SCORED | 18.9.84.2 | PATCH | L1 Ensure Allow Windows Ink Workspace is set to Enabled On but disallow access above lock OR Disabled but not Enabled On"\n ^ here\n"}

^ what I received during testing

Looks like the Control 18.3.7 is missing in the task definition

Describe the Issue
Task 2.3.6.1 fails on a domain joined server with the error that win2019cis_is_standalone is not defined. This variable is checked in the when clause for the task

Checking the prelim.yml file, the variable is set to true for workgroup machines, but does not appear to be set to false anywhere.

Expected Behavior
The task should process correctly for a domain joined machine

Actual Behavior
The conditional - not win2019cis_is_standalone fails with a not defined error message.

This variable is set in the prelim tasks but only for a stand-alone server.

This either needs to be set to false for a domain-joined machine, set to false in a defaults file, or set to false elsewhere, or the task needs to have a default value in the conditional.

Control(s) Affected
2019 playbook will not run to completion on a domain joined machine

Environment (please complete the following information):

• git branch: [e.g main]
• Ansible Version: [e.g. 2.12]
• Host Python Version: [e.g. Python 3.8]
• Ansible Server Python Version: [e.g. Python 3.8]
• Additional Details:

Additional Notes
Anything additional goes here

Possible Solution

      - name: set fact if domain member server
        set_fact:
            win2019cis_is_domain_member: true
            win2019cis_is_standalone: false
        when:
            - ansible_windows_domain_role == 'Member server'

• name: "SCORED | 18.9.95.2 | PATCH | L1 Ensure Turn on PowerShell Transcription is set to Disabled"
  win_regedit:
  path: HKLM:\Software\Policies\Microsoft\Windows\Powershell\Transcription
  name: EnableTranscripting
  data: 0
  type: dword
  when:
  • rule_18_9_95_2
    tags:
  • level1-domaincontroller
  • level1-memberserver
  • rule_18.9.95.2
  • patch

  win_regedit:
      path: HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application
      name: Retention
      data: 0
      type: string

Should be

  win_regedit:
      path: HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application
      name: Retention
      data: 0
      type: dword

Retention | This value is of type REG_DWORD. The default value is 0.

ref: https://docs.microsoft.com/en-us/windows/win32/eventlog/eventlog-key

redirecting (type: modules) ansible.builtin.win_user_right to ansible.windows.win_user_right
Using module file /home/user/.ansible/lib/python3.8/site-packages/ansible_collections/ansible/windows/plugins/modules/win_user_right.ps1
Pipelining is enabled.
<10.x.x.x> ESTABLISH WINRM CONNECTION FOR USER: Administrator on PORT 5985 TO 10.x.x.x
EXEC (via pipeline wrapper)
The full traceback is:
Cannot bind argument to parameter 'InputObject' because it is an empty string.
At line:346 char:34
+ $userSids = [String[]]@($users | ConvertTo-SecurityIdentifier | ForEa ...
+                                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (:) [ConvertTo-SecurityIdentifier], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorEmptyStringNotAllowed,ConvertTo-SecurityIdentifier

ScriptStackTrace:
at <ScriptBlock>, <No file>: line 346

System.Management.Automation.ParameterBindingValidationException: Cannot bind argument to parameter 'InputObject' because it is an empty string.
   at System.Management.Automation.CmdletParameterBinderController.BindValueFromPipeline(PSObject inputToOperateOn, MergedCompiledCommandParameter parameter, ParameterBindingFlags flags)
   at System.Management.Automation.CmdletParameterBinderController.BindUnboundParametersForBindingStateInParameterSet(PSObject inputToOperateOn, CurrentlyBinding currentlyBinding, UInt32 validParameterSets)
   at System.Management.Automation.CmdletParameterBinderController.BindUnboundParametersForBindingState(PSObject inputToOperateOn, CurrentlyBinding currentlyBinding, UInt32 validParameterSets)
   at System.Management.Automation.CmdletParameterBinderController.BindPipelineParametersPrivate(PSObject inputToOperateOn)
   at System.Management.Automation.CmdletParameterBinderController.BindPipelineParameters(PSObject inputToOperateOn)
   at System.Management.Automation.CommandProcessor.Read()
fatal: [x.testing.x.x]: FAILED! => {
    "changed": false,
    "msg": "Unhandled exception while executing module: Cannot bind argument to parameter 'InputObject' because it is an empty string."
}

https://github.com/ansible-lockdown/Windows-2019-CIS/blob/devel/tasks/section02.yml#L626

should be users: []

Could a variable be added to enable just audit only so as to perform checks for existing systems?

---
# vars.yaml
audit_mode: true
remediate_mode: false

Then, you could do something similar to:

---
- name: "SCORED | 1.1.1 | PATCH | L1 Ensure Enforce password history is set to 24 or more passwords"
  block:
      - name: "SCORED | 1.1.1 | AUDIT | L1 Ensure Enforce password history is set to 24 or more passwords"
        assert:
            that: passwordhistorysize | int is version('24', '>=')
            fail_msg: "Password history must be configured to 24 passwords remembered and variable passwordhistorysize is set to {{ passwordhistorysize }}"
        changed_when: false
        ignore_errors: true
        register: result

      - name: "SCORED | 1.1.1 | PATCH | L1 Ensure Enforce password history is set to 24 or more passwords"
        when: ( remediate_mode | bool )
        win_security_policy:
            section: System Access
            key: PasswordHistorySize
            value: "{{ passwordhistorysize }}"
  when:
      - rule_1_1_1
  tags:
      - level1-domaincontroller
      - level1-memberserver
      - rule_1.1.1
      - patch
# ...
...

• name: "SCORED | 19.7.4.1 | PATCH | L1 Ensure Do not preserve zone information in file attachments is set to Disabled"
  block:

  • name: "SCORED | 19.7.4.1 | PATCH | L1 Ensure Do not preserve zone information in file attachments is set to Disabled"
    win_regedit:
    path: HKU:.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments
    name: SaveZoneInformation
    data: 2
    type: dword

  • name: "SCORED | 19.7.4.1 | PATCH | L1 Ensure Do not preserve zone information in file attachments is set to Disabled"
    win_regedit:
    path: HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments
    name: SaveZoneInformation
    data: 2
    type: dword
    when:

  • rule_19_7_4_1
    tags:

  • level1-domaincontroller

  • level1-memberserver

  • rule_19.7.4.1

  • patch

2.2.18 will assume that the "NT VIRTUAL MACHINE\Virtual Machines" group exist (although it should only exist when the Hyper-V role is installed).

If it does not exist, it will error. There should be a check to make sure that the "NT VIRTUAL MACHINE\Virtual Machines" group exists before performing the rest of the task

• name: "SCORED | 17.5.1 | PATCH | (L1) Ensure Audit Account Lockout is set to include Failure"
  block:
  - name: "SCORED | 17.5.1 | AUDIT | (L1) Ensure Audit Account Lockout is set to include Failure"
  win_shell: AuditPol /get /subcategory:"Account Lockout" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting"
  changed_when: false
  failed_when: false
  register: rule_17_5_1_audit

  - name: "SCORED | 17.5.1 | PATCH | (L1) Ensure Audit Account Lockout is set to include Failure"
    win_shell: AuditPol /set /subcategory:"Account Lockout" **/failure:enable**
    when: "'Failure' not in rule_17_5_1_audit.stdout"
  

  when:

  • rule_17_5_1
    tags:
  • level1-domaincontroller
  • level1-memberserver
  • rule_17.5.1
  • patch

The datatype should be string not dword

• name: "SCORED | 18.4.1 | PATCH | L1 Ensure MSS AutoAdminLogon Enable Automatic Logon not recommended is set to Disabled"
  win_regedit:
  path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
  state: present
  value: AutoAdminLogon
  data: 0
  datatype: string
  when:
  • rule_18_4_1
    tags:
  • level1-domaincontroller
  • level1-memberserver
  • rule_18.4.1
  • patch

• name: "SCORED | 18.9.95.1 | PATCH | L1 Ensure Turn on PowerShell Script Block Logging is set to Disabled"
  win_regedit:
  path: HKLM:\Software\Policies\Microsoft\Windows\Powershell\Scriptblocklogging
  name: EnableScriptBlockLogging
  data: 0
  type: dword
  when:
  • rule_18_9_95_1
    tags:
  • level1-domaincontroller
  • level1-memberserver
  • rule_18.9.95.1
  • patch

Rule 18.5.4.1 is tagged as level 2, should be level 1

Window Manager\Window Manager Group only exists on non Core installations. When running on a Windows 2019 Core system, task 2.2.33 fails complaining Window Manager does not exists.

Question
After applying for WINDOWS-2019-CIS roles(devel branch), I cannot RDP after the reboot of Windows server 2019, what would you need to do to fix the issue?

Environment:

• Ansible Version: [ 2.14.6 ]
• Host Python Version: [ Python 3.9.18 ]
• Ansible Server Python Version: [ Python 3.9.18 ]
• Additional Details: I am creating golden image AMI with the help of WINDOWS-2019-CIS roles, but as soon as all tasks are completed and I restart the machine, I cannot log in to my new machine.
• The reboot_windows handler doesn't work, it's stuck always, hence I have commented handler and then tested it.

Note: I have set win19cis_rule_18_10_57_3_9_3 to false from defaults/main.yml , still facing the same issue.

The control 18.3.1 should be implement

 win_regedit:
    path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System
    name: "LocalAccountTokenFilterPolicy"
    data: "0"
    type: dword

Hi,

Have you plan to align the tags between sections

Example

in the section 9 the tags are:

• level1-domaincontroller
• level1-memberserver

in the section 1 the tags are

• level1
• level2

I guess you did it for Windows 2016

Thanks and for good work 👍

• name: "18.2.6 | PATCH | L1 | Ensure Password Settings Password Age Days is set to Enabled 30 or fewer MS only"
  win_regedit:
  path: HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd
  name: PasswordAgeDays
  data: "{{ laps_passwordagedays }}"
  type: dword
  when:
  - rule_18_2_6
  - ansible_windows_domain_role == "Memmber Server"
  tags:
  - level1-memberserver
  - rule_18.2.6
  - patch

In the control the value need to be 0 not 1

• name: "SCORED | 18.3.4 | PATCH | L1 Ensure Enable Structured Exception Handling Overwrite Protection SEHOP is set to Enabled"
  win_regedit:
  path: HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel
  name: DisableExceptionChainValidation
  data: 0
  type: dword
  state: present
  when:
  • rule_18_3_4
    tags:
  • level1-domaincontroller
  • level1-memberserver
  • rule_18.3.4
  • patch

• name: "SCORED | 2.3.11.4 | PATCH | (L1) Ensure Network security Configure encryption types allowed for Kerberos is set to AES128 HMAC SHA1 AES256 HMAC SHA1 Future encryption types"
  win_regedit:
  path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System\Kerberos\Parameters
  name: SupportedEncryptionTypes
  data: 2147483640
  type: dword
  when:
  • rule_2_3_11_4
    tags:
  • level1-domaincontroller
  • level1-memberserver
  • rule_2.3.11.4
  • patch