From 18592d17ada6132289dd04952fa7f8567d8265fb Mon Sep 17 00:00:00 2001
From: Marcos Oviedo <marcos@fleetdm.com>
Date: Fri, 3 Feb 2023 14:11:22 -0300
Subject: [PATCH] Adding CIS checks for for Win10 benchmark - Password policies
 1.1.x (#9634)

This relates to #9581
---
 ee/cis/win-10/cis-policy-queries.yml | 138 +++++++++++++++++++++++++++
 1 file changed, 138 insertions(+)
 create mode 100644 ee/cis/win-10/cis-policy-queries.yml

diff --git a/ee/cis/win-10/cis-policy-queries.yml b/ee/cis/win-10/cis-policy-queries.yml
new file mode 100644
index 0000000000..7a65d13233
--- /dev/null
+++ b/ee/cis/win-10/cis-policy-queries.yml
@@ -0,0 +1,138 @@
+---
+# The latest version of CIS Benchmarks for Windows 10 standalone is version 1.0.1
+apiVersion: v1
+kind: policy
+spec:
+  name: CIS - Ensure 'Enforce password history' is set to '24' or more passwords
+  platforms: win10
+  platform: windows
+  description: |
+    This policy check determines the number of renewed, unique passwords that have to be associated with a user account before you can reuse an old password.
+  resolution: |
+    Automatic method:
+    Ask your system administrator to establish the recommended configuration via GP, set the following UI path to 24 or more passwords:
+    'Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Enforce password history'
+  query: |
+    SELECT 1 FROM security_profile_info WHERE password_history_size >= 24;
+  purpose: Informational
+  tags: compliance, CIS, CIS_Level1, CIS1.1.1
+  contributors: marcosd4h
+---
+apiVersion: v1
+kind: policy
+spec:
+  name: CIS - Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'
+  platforms: win10
+  platform: windows
+  description: |
+    This policy setting defines how long a user can use their password before it expires.
+  resolution: |
+    Automatic method:
+    Ask your system administrator to establish the recommended configuration via GP, set the
+    following UI path to 365 or fewer days, but not 0:
+    'Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Maximum password age'
+  query: |
+    SELECT 1 FROM security_profile_info WHERE (maximum_password_age <= 365 AND maximum_password_age != 0);
+  purpose: Informational
+  tags: compliance, CIS, CIS_Level1, CIS1.1.2
+  contributors: marcosd4h
+---
+apiVersion: v1
+kind: policy
+spec:
+  name: CIS - Ensure 'Minimum password age' is set to '1 or more days'
+  platforms: win10
+  platform: windows
+  description: |
+    This policy setting determines the number of days that you must use a password before you can
+    change it. The range of values for this policy setting is between 1 and 999 days.
+  resolution: |
+    Automatic method:
+    Ask your system administrator to establish the recommended configuration via GP, set the
+    following UI path to 1 or more days:
+    'Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Minimum password age'
+  query: |
+    SELECT 1 FROM security_profile_info WHERE minimum_password_age >= 1;
+  purpose: Informational
+  tags: compliance, CIS, CIS_Level1, CIS1.1.3
+  contributors: marcosd4h
+---
+apiVersion: v1
+kind: policy
+spec:
+  name: CIS - Ensure 'Minimum password length' is set to '14 or more characters' 
+  platforms: win10
+  platform: windows
+  description: |
+    This policy setting determines the least number of characters that make up a password for a user account.
+  resolution: |
+    Automatic method:
+    Ask your system administrator to establish the recommended configuration via GP, set the
+    following UI path to 14 or more characters
+    'Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Minimum password length'
+  query: |
+    SELECT 1 FROM security_profile_info WHERE minimum_password_length >= 14;
+  purpose: Informational
+  tags: compliance, CIS, CIS_Level1, CIS1.1.4
+  contributors: marcosd4h
+---
+apiVersion: v1
+kind: policy
+spec:
+  name: CIS - Ensure 'Password must meet complexity requirements' is set to 'Enabled' 
+  platforms: win10
+  platform: windows
+  description: |
+    This policy setting checks all new passwords to ensure that they meet basic requirements for
+    strong passwords. Passwords that contain only alphanumeric characters are extremely easy to
+    discover with several publicly available tools.
+  resolution: |
+    Automatic method:
+    Ask your system administrator to establish the recommended configuration via GP, set the
+    following UI path to 'Enabled':
+    'Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Password must meet complexity requirements'
+  query: |
+    SELECT 1 FROM security_profile_info WHERE password_complexity = 1;
+  purpose: Informational
+  tags: compliance, CIS, CIS_Level1, CIS1.1.5
+  contributors: marcosd4h
+---
+apiVersion: v1
+kind: policy
+spec:
+  name: CIS - Ensure 'Relax minimum password length limits' is set to 'Enabled'
+  platforms: win10
+  platform: windows
+  description: |
+    This policy setting determines whether the minimum password length setting can be increased beyond the legacy limit of 14 characters.
+  resolution: |
+    Automatic method:
+    Ask your system administrator to establish the recommended configuration via GP, set the
+    following UI path to 'Enabled':
+    'Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Relax minimum password length limits'
+  query: |
+    SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SAM\\RelaxMinimumPasswordLengthLimits' AND data != 0);
+  purpose: Informational
+  tags: compliance, CIS, CIS_Level1, CIS1.1.6
+  contributors: marcosd4h
+---
+apiVersion: v1
+kind: policy
+spec:
+  name: CIS - Ensure 'Store passwords using reversible encryption' is set to 'Disabled'
+  platforms: win10
+  platform: windows
+  description: |
+    This policy setting determines whether the operating system stores passwords in a way that uses
+    reversible encryption, which provides support for application protocols that require knowledge
+    of the user's password for authentication purposes. Passwords that are stored with reversible
+    encryption are essentially the same as plaintext versions of the passwords.
+  resolution: |
+    Automatic method:
+    Ask your system administrator to establish the recommended configuration via GP, set the following UI path to 'Disabled':
+    'Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Store passwords using reversible encryption'
+  query: |
+    SELECT 1 FROM security_profile_info WHERE clear_text_password = 0;
+  purpose: Informational
+  tags: compliance, CIS, CIS_Level1, CIS1.1.7
+  contributors: marcosd4h
\ No newline at end of file