From 0b6313bd6bae2f5503e0184e47c96e34a5a4d93d Mon Sep 17 00:00:00 2001 From: Artemis Tosini Date: Tue, 4 Apr 2023 15:41:19 -0400 Subject: [PATCH] CIS win10 18.9.46-47 (#10916) Many of these queries reference registry keys that do not exist so I moved them to the NON-COMPLETED file. However, all queries name in #10355 are included in either the main or non completed file. - [x] Manual QA for all new/changed functionality --- .../cis-NON-COMPLETED-policy-queries.yml | 104 ++++++++++++++++++ ee/cis/win-10/cis-policy-queries.yml | 63 ++++++++++- 2 files changed, 164 insertions(+), 3 deletions(-) diff --git a/ee/cis/win-10/cis-NON-COMPLETED-policy-queries.yml b/ee/cis/win-10/cis-NON-COMPLETED-policy-queries.yml index 886a77f605..b048f1851b 100644 --- a/ee/cis/win-10/cis-NON-COMPLETED-policy-queries.yml +++ b/ee/cis/win-10/cis-NON-COMPLETED-policy-queries.yml @@ -500,6 +500,110 @@ spec: --- apiVersion: v1 kind: policy +spec: + name: > + CIS - Ensure 'Join Microsoft MAPS' is set to 'Disabled' + platforms: win10 + platform: windows + description: | + This policy setting allows you to join Microsoft Active Protection Service (MAPS), which Microsoft renamed to Windows Defender Antivirus Cloud Protection Service and then Microsoft Defender Antivirus Cloud Protection Service. + Microsoft MAPS / Microsoft Defender Antivirus Cloud Protection Service is the online community that helps you choose how to respond to potential threats. + resolution: | + To establish the recommended configuration via GP, set the following UI path to Enabled: + 'Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus\MAPS\Join Microsoft MAPS' + Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer). + query: | + # Recommended registry key does not exist + # SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Spynet\\SpynetReporting' AND data = 0); + purpose: Informational + tags: compliance, CIS, CIS_Level2, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.47.4.2 + contributors: artemist-work +--- +apiVersion: v1 +kind: policy +spec: + name: > + CIS - Ensure 'Configure Attack Surface Reduction Rules' is set to 'Enabled' + platforms: win10 + platform: windows + description: | + This policy setting controls the state for the Attack Surface Reduction (ASR) rules. + resolution: | + To establish the recommended configuration via GP, set the following UI path to Enabled: + 'Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Attack Surface Reduction\Configure Attack Surface Reduction rules' + Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer). + query: | + # Recommended registry key does not exist + # SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\ExploitGuard_ASR_Rules' AND data = 1); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.47.5.1.1 + contributors: artemist-work +--- +apiVersion: v1 +kind: policy +spec: + name: > + CIS - Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured + platforms: win10 + platform: windows + description: | + This policy setting sets the Attack Surface Reduction rules. + resolution: | + To establish the recommended configuration via GP, set the following UI path so that + 26190899-1602-49e8-8b27-eb1d0a1ce869, + 3b576869-a4ec-4529-8536-b80a7769e899, + 5beb7efe-fd9a-4556-801d-275e5ffc04cc, + 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84, + 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c, + 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b, + 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2, + b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4, + be9ba2d9-53ea-4cdc-84e5-9b1eeee46550, + d3e037e1-3eb8-44c8-a917-57927947596d, + d4f940ab-401b-4efc-aadc-ad5f3c50688a, and + e6db77e5-3df2-4cf1-b95a-636979351e5b are each set to a value of 1: + 'Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Attack Surface Reduction\Configure Attack Surface Reduction rules: Set the state for each ASR rule' + Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer). + query: | + # Recommended registry keys do not exist + # SELECT 1 WHERE EXISTS (SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\ASR\\Rules\\26190899-1602-49e8-8b27-eb1d0a1ce869' AND data = 1) + # AND EXISTS (SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\ASR\\Rules\\3b576869-a4ec-4529-8536-b80a7769e899' AND data = 1) + # AND EXISTS (SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\ASR\\Rules\\5beb7efe-fd9a-4556-801d-275e5ffc04cc' AND data = 1) + # AND EXISTS (SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\ASR\\Rules\\75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84' AND data = 1) + # AND EXISTS (SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\ASR\\Rules\\7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c' AND data = 1) + # AND EXISTS (SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\ASR\\Rules\\92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b' AND data = 1) + # AND EXISTS (SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\ASR\\Rules\\9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2' AND data = 1) + # AND EXISTS (SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\ASR\\Rules\\b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4' AND data = 1) + # AND EXISTS (SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\ASR\\Rules\\be9ba2d9-53ea-4cdc-84e5-9b1eeee46550' AND data = 1) + # AND EXISTS (SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\ASR\\Rules\\d3e037e1-3eb8-44c8-a917-57927947596d' AND data = 1) + # AND EXISTS (SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\ASR\\Rules\\d4f940ab-401b-4efc-aadc-ad5f3c50688a' AND data = 1) + # AND EXISTS (SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\ASR\\Rules\\e6db77e5-3df2-4cf1-b95a-636979351e5b' AND data = 1); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.47.5.1.2 + contributors: artemist-work +--- +apiVersion: v1 +kind: policy +spec: + name: > + CIS - Ensure 'Enable file hash computation feature' is set to 'Enabled' + platforms: win10 + platform: windows + description: | + This setting determines whether hash values are computed for files scanned by Microsoft Defender. + resolution: | + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + 'Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus\MpEngine\Enable file hash computation feature' + Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer). + query: | + # Recommended registry keys do not exist + # SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\MpEngine\\EnableFileHashComputation' AND data = 1); + purpose: Informational + tags: compliance, CIS, CIS_Level2, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.47.6.1 + contributors: artemist-work +--- +apiVersion: v1 +kind: policy spec: name: > CIS - Ensure 'Turn on script scanning' is set to 'Enabled' diff --git a/ee/cis/win-10/cis-policy-queries.yml b/ee/cis/win-10/cis-policy-queries.yml index 04bed269a3..c83cf78cc3 100644 --- a/ee/cis/win-10/cis-policy-queries.yml +++ b/ee/cis/win-10/cis-policy-queries.yml @@ -5721,6 +5721,63 @@ spec: --- apiVersion: v1 kind: policy +spec: + name: > + CIS - Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled' + platforms: win10 + platform: windows + description: | + This setting determines whether applications and services on the device can utilize new consumer Microsoft account authentication via the Windows OnlineID and WebAccountManager APIs. + resolution: | + To establish the recommended configuration via GP, set the following UI path to Enabled: + 'Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft accounts\Block all consumer Microsoft account user authentication' + Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MSAPolicy.admx/adml that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer). + query: | + SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftAccount\\DisableUserAuth' AND data = 1); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.46.1 + contributors: artemist-work +--- +apiVersion: v1 +kind: policy +spec: + name: > + CIS - Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled' + platforms: win10 + platform: windows + description: | + This policy setting configures a local override for the configuration to join Microsoft Active Protection Service, which Microsoft renamed to Windows Defender Antivirus Cloud Protection Service and then Microsoft Defender Antivirus Cloud Protection Service. + resolution: | + To establish the recommended configuration via GP, set the following UI path to Disabled: + 'Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus\MAPS\Configure local setting override for reporting to Microsoft MAPS' + Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer). + query: | + SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Spynet\\LocalSettingOverrideSpynetReporting' AND data = 0); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.47.4.1 + contributors: artemist-work +--- +apiVersion: v1 +kind: policy +spec: + name: > + CIS - Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block' + platforms: win10 + platform: windows + description: | + This policy setting controls Microsoft Defender Exploit Guard network protection. + resolution: | + To establish the recommended configuration via GP, set the following UI path to 'Enabled: Block' + 'Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Defender Antivirus\Windows Defender Exploit Guard\Network Protection\Prevent users and apps from accessing dangerous websites' + Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer). + query: | + SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\Network Protection\\EnableNetworkProtection' AND data = 1; + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.47.5.3.1 + contributors: artemist-work +--- +apiVersion: v1 +kind: policy spec: name: > CIS - Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled' @@ -5848,7 +5905,7 @@ spec: platform: windows description: | This policy setting allows you to configure e-mail scanning. When e-mail scanning is enabled, the engine will parse the mailbox and mail files, according to their specific format, in order to analyze the mail bodies and attachments. Several e-mail formats are currently supported, for example: pst (Outlook), dbx, mbx, mime (Outlook Express), binhex (Mac). - The recommended state for this setting is: Enabled. + The recommended state for this setting is: Enabled. resolution: | To establish the recommended configuration via GP, set the following UI path to 'Enabled': 'Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Scan\Turn on e-mail scanning' @@ -5883,7 +5940,7 @@ apiVersion: v1 kind: policy spec: name: > - CIS - Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled' + CIS - Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled' platforms: win10 platform: windows description: | @@ -5913,7 +5970,7 @@ spec: resolution: | To establish the recommended configuration via GP, set the following UI path to Enabled: 'Computer Configuration\Policies\Administrative Templates\Windows Components\Push to Install\Turn off Push To Install service' - Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PushToInstall.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer). + Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PushToInstall.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer). query: | SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PushToInstall\\DisablePushToInstall' AND data = 1); purpose: Informational