mirror of
https://github.com/fleetdm/fleet
synced 2026-05-23 17:08:53 +00:00
Adding CIS checks for for Win10 benchmark - Password policies 1.1.x (#9634)
This relates to #9581
This commit is contained in:
Marcos Oviedo
GitHub
parent
9d594e1b4e
commit
18592d17ad
1 changed files with 138 additions and 0 deletions
138
ee/cis/win-10/cis-policy-queries.yml
Normal file
138
ee/cis/win-10/cis-policy-queries.yml
Normal file
|
|
@ -0,0 +1,138 @@
|
|||
---
|
||||
# The latest version of CIS Benchmarks for Windows 10 standalone is version 1.0.1
|
||||
apiVersion: v1
|
||||
kind: policy
|
||||
spec:
|
||||
name: CIS - Ensure 'Enforce password history' is set to '24' or more passwords
|
||||
platforms: win10
|
||||
platform: windows
|
||||
description: |
|
||||
This policy check determines the number of renewed, unique passwords that have to be associated with a user account before you can reuse an old password.
|
||||
resolution: |
|
||||
Automatic method:
|
||||
Ask your system administrator to establish the recommended configuration via GP, set the following UI path to 24 or more passwords:
|
||||
'Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Enforce password history'
|
||||
query: |
|
||||
SELECT 1 FROM security_profile_info WHERE password_history_size >= 24;
|
||||
purpose: Informational
|
||||
tags: compliance, CIS, CIS_Level1, CIS1.1.1
|
||||
contributors: marcosd4h
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: policy
|
||||
spec:
|
||||
name: CIS - Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'
|
||||
platforms: win10
|
||||
platform: windows
|
||||
description: |
|
||||
This policy setting defines how long a user can use their password before it expires.
|
||||
resolution: |
|
||||
Automatic method:
|
||||
Ask your system administrator to establish the recommended configuration via GP, set the
|
||||
following UI path to 365 or fewer days, but not 0:
|
||||
'Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Maximum password age'
|
||||
query: |
|
||||
SELECT 1 FROM security_profile_info WHERE (maximum_password_age <= 365 AND maximum_password_age != 0);
|
||||
purpose: Informational
|
||||
tags: compliance, CIS, CIS_Level1, CIS1.1.2
|
||||
contributors: marcosd4h
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: policy
|
||||
spec:
|
||||
name: CIS - Ensure 'Minimum password age' is set to '1 or more days'
|
||||
platforms: win10
|
||||
platform: windows
|
||||
description: |
|
||||
This policy setting determines the number of days that you must use a password before you can
|
||||
change it. The range of values for this policy setting is between 1 and 999 days.
|
||||
resolution: |
|
||||
Automatic method:
|
||||
Ask your system administrator to establish the recommended configuration via GP, set the
|
||||
following UI path to 1 or more days:
|
||||
'Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Minimum password age'
|
||||
query: |
|
||||
SELECT 1 FROM security_profile_info WHERE minimum_password_age >= 1;
|
||||
purpose: Informational
|
||||
tags: compliance, CIS, CIS_Level1, CIS1.1.3
|
||||
contributors: marcosd4h
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: policy
|
||||
spec:
|
||||
name: CIS - Ensure 'Minimum password length' is set to '14 or more characters'
|
||||
platforms: win10
|
||||
platform: windows
|
||||
description: |
|
||||
This policy setting determines the least number of characters that make up a password for a user account.
|
||||
resolution: |
|
||||
Automatic method:
|
||||
Ask your system administrator to establish the recommended configuration via GP, set the
|
||||
following UI path to 14 or more characters
|
||||
'Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Minimum password length'
|
||||
query: |
|
||||
SELECT 1 FROM security_profile_info WHERE minimum_password_length >= 14;
|
||||
purpose: Informational
|
||||
tags: compliance, CIS, CIS_Level1, CIS1.1.4
|
||||
contributors: marcosd4h
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: policy
|
||||
spec:
|
||||
name: CIS - Ensure 'Password must meet complexity requirements' is set to 'Enabled'
|
||||
platforms: win10
|
||||
platform: windows
|
||||
description: |
|
||||
This policy setting checks all new passwords to ensure that they meet basic requirements for
|
||||
strong passwords. Passwords that contain only alphanumeric characters are extremely easy to
|
||||
discover with several publicly available tools.
|
||||
resolution: |
|
||||
Automatic method:
|
||||
Ask your system administrator to establish the recommended configuration via GP, set the
|
||||
following UI path to 'Enabled':
|
||||
'Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Password must meet complexity requirements'
|
||||
query: |
|
||||
SELECT 1 FROM security_profile_info WHERE password_complexity = 1;
|
||||
purpose: Informational
|
||||
tags: compliance, CIS, CIS_Level1, CIS1.1.5
|
||||
contributors: marcosd4h
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: policy
|
||||
spec:
|
||||
name: CIS - Ensure 'Relax minimum password length limits' is set to 'Enabled'
|
||||
platforms: win10
|
||||
platform: windows
|
||||
description: |
|
||||
This policy setting determines whether the minimum password length setting can be increased beyond the legacy limit of 14 characters.
|
||||
resolution: |
|
||||
Automatic method:
|
||||
Ask your system administrator to establish the recommended configuration via GP, set the
|
||||
following UI path to 'Enabled':
|
||||
'Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Relax minimum password length limits'
|
||||
query: |
|
||||
SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SAM\\RelaxMinimumPasswordLengthLimits' AND data != 0);
|
||||
purpose: Informational
|
||||
tags: compliance, CIS, CIS_Level1, CIS1.1.6
|
||||
contributors: marcosd4h
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: policy
|
||||
spec:
|
||||
name: CIS - Ensure 'Store passwords using reversible encryption' is set to 'Disabled'
|
||||
platforms: win10
|
||||
platform: windows
|
||||
description: |
|
||||
This policy setting determines whether the operating system stores passwords in a way that uses
|
||||
reversible encryption, which provides support for application protocols that require knowledge
|
||||
of the user's password for authentication purposes. Passwords that are stored with reversible
|
||||
encryption are essentially the same as plaintext versions of the passwords.
|
||||
resolution: |
|
||||
Automatic method:
|
||||
Ask your system administrator to establish the recommended configuration via GP, set the following UI path to 'Disabled':
|
||||
'Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Store passwords using reversible encryption'
|
||||
query: |
|
||||
SELECT 1 FROM security_profile_info WHERE clear_text_password = 0;
|
||||
purpose: Informational
|
||||
tags: compliance, CIS, CIS_Level1, CIS1.1.7
|
||||
contributors: marcosd4h
|
||||
Loading…
Reference in a new issue