Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-23 00:49:03 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 143

Pusing pending CIS items (#11511)

Browse source 
This relates to #11312 

This completes the last 20 pending CIS policies [here
](https://docs.google.com/spreadsheets/d/1HZn7e4zpd5nfxY0MhSdX8MkGpdpxyLdSZjk0Auo1WaQ/edit#gid=1819959040)
This commit is contained in:
Marcos Oviedo 2023-05-12 11:38:17 -03:00 committed by GitHub
parent 3ec04887e6
commit 424baf431b
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 432 additions and 875 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

875
ee/cis/win-10/cis-NON-COMPLETED-policy-queries.yml
View file

@ -1,875 +0,0 @@
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure 'Account lockout duration' is set to '15 or more minute(s)'
platforms: win10
platform: windows
description: |
This policy setting determines the length of time that must pass before a locked account is unlocked and a user can try to log on again. The setting does this by specifying the number of minutes a locked out account will remain unavailable. If the value for this policy setting is configured to 0, locked out accounts will remain locked out until an administrator manually unlocks them.
Although it might seem like a good idea to configure the value for this policy setting to a high value, such a configuration will likely increase the number of calls that the help desk receives to unlock accounts locked by mistake. Users should be aware of the length of time a lock remains in place, so that they realize they only need to call the help desk if they have an extremely urgent need to regain access to their computer.
The recommended state for this setting is: 15 or more minute(s).
Note: Password Policy settings (section 1.1) and Account Lockout Policy settings (section 1.2) must be applied via the Default Domain Policy GPO in order to be globally in effect on domain user accounts as their default behavior. If these settings are configured in another GPO, they will only affect local user accounts on the computers that receive the GPO. However, custom exceptions to the default password policy and account lockout policy rules for specific domain users and/or groups can be defined using Password Settings Objects (PSOs), which are completely separate from Group Policy and most easily configured using Active Directory Administrative Center.
resolution: |
Automatic method:
Ask your system administrator to establish the recommended configuration via GP, set the following UI path to '15 or more minute(s)':
'Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Account Lockout Policy\Account lockout duration'
query: |
tbd
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_1.2.1, CIS_not_completed
contributors: sharon-fdm
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0'
platforms: win10
platform: windows
description: |
This policy setting determines the number of failed logon attempts before the account is locked. Setting this policy to 0 does not conform to the benchmark as doing so disables the account lockout threshold.
The recommended state for this setting is: 5 or fewer invalid logon attempt(s), but not 0.
Note: Password Policy settings (section 1.1) and Account Lockout Policy settings (section 1.2) must be applied via the Default Domain Policy GPO in order to be globally in effect on domain user accounts as their default behavior. If these settings are configured in another GPO, they will only affect local user accounts on the computers that receive the GPO. However, custom exceptions to the default password policy and account lockout policy rules for specific domain users and/or groups can be defined using Password Settings Objects (PSOs), which are completely separate from Group Policy and most easily configured using Active Directory Administrative Center.
resolution: |
Automatic method:
Ask your system administrator to establish the recommended configuration via GP, set the following UI path to '5 or fewer invalid login attempt(s), but not 0':
'Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Account Lockout Policy\Account lockout threshold'
query: |
tbd
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_1.2.2, CIS_not_completed
contributors: sharon-fdm
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'
platforms: win10
platform: windows
description: |
This policy setting determines the length of time before the Account lockout threshold resets to zero. The default value for this policy setting is Not Defined. If the Account lockout threshold is defined, this reset time must be less than or equal to the value for the Account lockout duration setting.
If you leave this policy setting at its default value or configure the value to an interval that is too long, your environment could be vulnerable to a DoS attack. An attacker could maliciously perform a number of failed logon attempts on all users in the organization, which will lock out their accounts. If no policy were determined to reset the account lockout, it would be a manual task for administrators. Conversely, if a reasonable time value is configured for this policy setting, users would be locked out for a set period until all of the accounts are unlocked automatically.
The recommended state for this setting is: 15 or more minute(s).
Note: Password Policy settings (section 1.1) and Account Lockout Policy settings (section 1.2) must be applied via the Default Domain Policy GPO in order to be globally in effect on domain user accounts as their default behavior. If these settings are configured in another GPO, they will only affect local user accounts on the computers that receive the GPO. However, custom exceptions to the default password policy and account lockout policy rules for specific domain users and/or groups can be defined using Password Settings Objects (PSOs), which are completely separate from Group Policy and most easily configured using Active Directory Administrative Center.
resolution: |
Automatic method:
Ask your system administrator to establish the recommended configuration via GP, set the following UI path to '15 or more minute(s)':
'Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Account Lockout Policy\Reset account lockout counter after'
query: |
tbd
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_1.2.3, CIS_not_completed
contributors: sharon-fdm
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'
platforms: win10
platform: windows
description: |
This policy setting allows a user to adjust the maximum amount of memory that is available to a process. The ability to adjust memory quotas is useful for system tuning, but it can be abused. In the wrong hands, it could be used to launch a denial of service (DoS) attack.
The recommended state for this setting is: Administrators, LOCAL SERVICE, NETWORK SERVICE.
resolution: |
Automatic method:
Ask your system administrator to establish the recommended configuration via GP, set the following UI path to a list of only 'Administrators', 'LOCAL SERVICE' and 'NETWORK SERVICE':
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Adjust memory quotas for a process'
query: |
Tbd
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.2.4, CIS_not_completed, english-support-only
contributors: sharon-fdm
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users'
platforms: win10
platform: windows
description: |
This policy setting determines which users or groups have the right to log on as a Remote Desktop Services client. If your organization uses Remote Assistance as part of its help desk strategy, create a group and assign it this user right through Group Policy. If the help desk in your organization does not use Remote Assistance, assign this user right only to the Administrators group or use the Restricted Groups feature to ensure that no user accounts are part of the Remote Desktop Users group.
Restrict this user right to the Administrators group, and possibly the Remote Desktop Users group, to prevent unwanted users from gaining access to computers on your network by means of the Remote Assistance feature.
The recommended state for this setting is: Administrators, Remote Desktop Users. Note: The above list is to be treated as a whitelist, which implies that the above
principals need not be present for assessment of this recommendation to pass.
Note #2: In all versions of Windows prior to Windows 7, Remote Desktop Services was known as Terminal Services, so you should substitute the older term if comparing against an older OS.
resolution: |
Automatic method:
Ask your system administrator to establish the recommended configuration via GP, set the following UI path to 'Administrators, Remote Desktop Users':
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow log on through Remote Desktop Services'
query: |
Tbd
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.2.6, CIS_not_completed, english-support-only
contributors: sharon-fdm
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE, Users'
platforms: win10
platform: windows
description: |
This setting determines which users can change the time zone of the computer. This ability holds no great danger for the computer and may be useful for mobile workers.
resolution: |
Automatic method:
Ask your system administrator to establish the recommended configuration via GP, set the following UI path to 'Administrators, LOCAL SERVICE, Users':
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Change the time zone'
query: |
tbd
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.2.9, CIS_not_completed, english-support-only
contributors: marcosd4h
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure 'Deny log on as a batch job' includes 'Guest'
platforms: win10
platform: windows
description: |
This policy setting determines which accounts will not be able to log on to the computer as a
batch job. A batch job is not a batch (.bat) file, but rather a batch-queue facility. Accounts that use the Task Scheduler to schedule jobs need this user right.
resolution: |
Automatic method:
Ask your system administrator to establish the recommended configuration via GP, ensure that the following UI path includes 'Guests'
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny log on as a batch job'
query: |
TBD
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.2.17, CIS_not_completed, english-support-only
contributors: marcosd4h
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure 'Deny log on as a service' includes 'Guest'
platforms: win10
platform: windows
description: |
This security setting determines which service accounts are prevented from registering a process
as a service. This user right supersedes the Log on as a service user right if an account is subject to both policies.
resolution: |
Automatic method:
Ask your system administrator to establish the recommended configuration via GP, ensure that the following UI path includes 'Guests'
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny log on as a service'
query: |
TBD
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.2.18, CIS_not_completed, english-support-only
contributors: marcosd4h
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure 'Log on as a batch job' is set to 'Administrators'
platforms: win10
platform: windows
description: |
This policy setting allows accounts to log on using the task scheduler service. Because the task
scheduler is often used for administrative purposes, it may be needed in enterprise
environments. However, its use should be restricted in high security environments to prevent
misuse of system resources or to prevent attackers from using the right to launch malicious code
after gaining user level access to a computer.
resolution: |
Automatic method:
Ask your system administrator to establish the recommended configuration via GP, ensure that the following UI path is set to an empty list
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Log on as a batch job'
query: |
TBD
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.2.28, CIS_not_completed, english-support-only
contributors: marcosd4h
---
apiVersion: v1
kind: policy
spec:
name: CIS - Configure 'Log on as a service'
platforms: win10
platform: windows
description: |
This policy setting allows accounts to launch network services or to register a process as a
service running on the system. This user right should be restricted on any computer in a high
security environment, but because many applications may require this privilege, it should be
carefully evaluated and tested before configuring it in an enterprise environment. On Windows
Vista-based (and newer) computers, no users or groups have this privilege by default.
resolution: |
Automatic method:
Ask your system administrator to establish the recommended configuration via GP, ensure that the following UI path is set to an empty list
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Log on as a service'
query: |
TBD
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.2.29, CIS_not_completed, english-support-only
contributors: marcosd4h
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure 'Perform volume maintenance tasks' is set to 'Administrators'
platforms: win10
platform: windows
description: |
This policy setting allows users to manage the system's volume or disk configuration, which could allow a user to delete a volume and cause data loss as well as a denial-ofservice condition.
resolution: |
Automatic method:
Ask your system administrator to establish the recommended configuration via GP, ensure that the following UI path is set to an empty list
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Perform volume maintenance tasks'
query: |
TBD
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.2.33, CIS_not_completed, english-support-only
contributors: marcosd4h
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost'
platforms: win10
platform: windows
description: |
This policy setting allows users to use tools to view the performance of different system
processes, which could be abused to allow attackers to determine a system's active processes and
provide insight into the potential attack surface of the computer.
resolution: |
Automatic method:
Ask your system administrator to establish the recommended configuration via GP, ensure that the following UI path is set to an empty list
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Profile system performance'
query: |
TBD
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.2.35, CIS_not_completed, english-support-only
contributors: marcosd4h
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'
platforms: win10
platform: windows
description: |
This policy setting allows one process or service to start another service or process with a
different security access token, which can be used to modify the security access token of that sub-process and result in the escalation of privileges.
resolution: |
Automatic method:
Ask your system administrator to establish the recommended configuration via GP, ensure that the following UI path is set to an empty list
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Replace a process level token'
query: |
TBD
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.2.36, CIS_not_completed, english-support-only
contributors: marcosd4h
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure 'Shut down the system' is set to 'Administrators, Users'
platforms: win10
platform: windows
description: |
This policy setting determines which users who are logged on locally to the computers in your
environment can shut down the operating system with the Shut Down command. Misuse of this user right can result in a denial of service condition.
resolution: |
Automatic method:
Ask your system administrator to establish the recommended configuration via GP, ensure that the following UI path is set to an empty list
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Shut down the system'
query: |
TBD
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.2.38, CIS_not_completed, english-support-only
contributors: marcosd4h
---
apiVersion: v1
kind: policy
spec:
name: >
CIS - Ensure 'Network access : Allow anonymous SID/Name translation' is set to 'Disabled'
platforms: win10
platform: windows
description: |
This policy setting determines whether an anonymous user can request security identifier
(SID) attributes for another user, or use a SID to obtain its corresponding user name.
The recommended state for this setting is: Disabled.
resolution: |
To establish the recommended configuration via GP, set the following UI path to Disabled:
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Allow anonymous SID/Name translation'
query: |
TBD
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.3.10.1, CIS_not_completed
contributors: rachelelysia
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure 'Network security Force logoff when logon hours expire' is set to 'Enabled'
platforms: win10
platform: windows
description: |
This policy setting determines whether to disconnect users who are connected to the local
computer outside their user account's valid logon hours. This setting affects the Server Message
Block (SMB) component.
resolution: |
Automatic method:
Ask your system administrator to establish the recommended configuration via GP, set the following UI path to 'Enabled':
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Force logoff when logon hours expire'
query: |
TBD
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.3.11.6, CIS_not_completed
contributors: marcosd4h
---
apiVersion: v1
kind: policy
spec:
name: >
CIS - Ensure 'Deny write access to removable drives not protected by BitLocker' is set to 'Enabled'
platforms: win10
platform: windows
description: |
This policy setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive.
All removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.
resolution: |
To establish the recommended configuration via GP, set the following UI path to Enabled:
'Computer Configuration\Policies\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives\Deny write access to removable drives not protected by BitLocker'
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template VolumeEncryption.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
query:
# TODO Able to set the GPO however,
# The HKEY RDVDenyWriteAccess is not showing up in the registry after modification
# Very odd as the rest of the section was perfectly fine
# SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Policies\\Microsoft\\FVE\RDVDenyWriteAccess' AND data = );
purpose: Informational
tags: compliance, CIS, CIS_BitLocker, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.11.3.14, CIS_not_completed
contributors: rachelelysia
---
apiVersion: v1
kind: policy
spec:
name: >
CIS - Ensure 'Audit Account Lockout' is set to include 'Failure'
platforms: win10
platform: windows
description: |
This subcategory reports when a user's account is locked out as a result of too many failed logon attempts. Events for this subcategory include:
- 4625: An account failed to log on.
resolution: |
To establish the recommended configuration via GP, set the following UI path to include Failure:
'Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Logon/Logoff\Audit Account Lockout'
query:
# TODO No HKEY or OMA-URI for 17.5.x
# TODO Can't test, select * from mdm_bridge; is returning enrollment_status: device_not_enrolled
# OMA-URI provided here looks like only use for Microsoft InTune: https://www.tenable.com/audits/items/CIS_MS_InTune_for_Windows_10_2004_Level_1_v1.0.1.audit:c7ba8f71918f1ca040747fbec5ab33f3
# SELECT 1 FROM mdm_bridge where mdm_command_input = "<SyncBody><Get><CmdID>1</CmdID><Item><Target><LocURI>./Device/Vendor/MSFT/Policy/Config/Audit/AccountLogonLogoff_AuditAccountLockout</LocURI></Target></Item></Get></SyncBody>" AND mdm_command_output = "2";
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_17.5.1
contributors: rachelelysia
---
apiVersion: v1
kind: policy
spec:
name: >
CIS - Ensure 'Audit Group Membership' is set to include 'Success'
platforms: win10
platform: windows
description: |
This policy allows you to audit the group membership information in the users logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource.
resolution: |
To establish the recommended configuration via GP, set the following UI path to include Success:
'Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Logon/Logoff\Audit Group Membership'
query:
# TODO No HKEY or OMA-URI for 17.5.x
# TODO Can't test, select * from mdm_bridge; is returning enrollment_status: device_not_enrolled
# OMA-URI provided here looks like only use for Microsoft InTune: https://www.tenable.com/audits/items/CIS_MS_InTune_for_Windows_10_2004_Level_1_v1.0.1.audit:ee85b155b604aa453fafc9c6d5418e33
# SELECT 1 FROM mdm_bridge where mdm_command_input = "<SyncBody><Get><CmdID>1</CmdID><Item><Target><LocURI>./Device/Vendor/MSFT/Policy/Config/Audit/AccountLogonLogoff_AuditGroupMembership</LocURI></Target></Item></Get></SyncBody>" AND mdm_command_output = "1";
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_17.5.2
contributors: rachelelysia
---
apiVersion: v1
kind: policy
spec:
name: >
CIS - Ensure 'Audit Logoff' is set to include 'Success'
platforms: win10
platform: windows
description: |
This subcategory reports when a user logs off from the system. These events occur on the accessed computer. For interactive logons, the generation of these events occurs on the computer that is logged on to. If a network logon takes place to access a share, these events generate on the computer that hosts the accessed resource. If you configure this setting to No auditing, it is difficult or impossible to determine which user has accessed or attempted to access organization computers. Events for this subcategory include:
- 4634: An account was logged off.
- 4647: User initiated logoff.
resolution: |
To establish the recommended configuration via GP, set the following UI path to include Success:
'Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Logon/Logoff\Audit Logoff'
query:
# TODO No HKEY or OMA-URI for 17.5.x
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_17.5.3
contributors: rachelelysia
---
apiVersion: v1
kind: policy
spec:
name: >
CIS - Ensure 'Audit Logon' is set to 'Success and Failure'
platforms: win10
platform: windows
description: |
This subcategory reports when a user attempts to log on to the system. These events occur on the accessed computer. For interactive logons, the generation of these events occurs on the computer that is logged on to. If a network logon takes place to access a share, these events generate on the computer that hosts the accessed resource. If you configure this setting to No auditing, it is difficult or impossible to determine which user has accessed or attempted to access organization computers. Events for this subcategory include:
- 4624: An account was successfully logged on.
- 4625: An account failed to log on.
- 4648: A logon was attempted using explicit credentials.
- 4675: SIDs were filtered.
resolution: |
To establish the recommended configuration via GP, set the following UI path to Success and Failure:
'Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Logon/Logoff\Audit Logon'
query:
# TODO No HKEY or OMA-URI for 17.5.x
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_17.5.4
contributors: rachelelysia
---
apiVersion: v1
kind: policy
spec:
name: >
CIS - Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure'
platforms: win10
platform: windows
description: |
This subcategory reports other logon/logoff-related events, such as Remote Desktop Services session disconnects and reconnects, using RunAs to run processes under a different account, and locking and unlocking a workstation. Events for this subcategory include:
- 4649: A replay attack was detected.
- 4778: A session was reconnected to a Window Station.
- 4779: A session was disconnected from a Window Station.
- 4800: The workstation was locked.
- 4801: The workstation was unlocked.
- 4802: The screen saver was invoked.
- 4803: The screen saver was dismissed.
- 5378: The requested credentials delegation was disallowed by policy.
- 5632: A request was made to authenticate to a wireless network.
- 5633: A request was made to authenticate to a wired network.
resolution: |
To establish the recommended configuration via GP, set the following UI path to Success and Failure:
'Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Logon/Logoff\Audit Other Logon/Logoff Events'
query:
# TODO No HKEY or OMA-URI for 17.5.x
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_17.5.5
contributors: rachelelysia
---
apiVersion: v1
kind: policy
spec:
name: >
CIS - Ensure 'Audit Special Logon' is set to include 'Success'
platforms: win10
platform: windows
description: |
This subcategory reports when a special logon is used. A special logon is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. Events for this subcategory include:
- 4964 : Special groups have been assigned to a new logon.
resolution: |
To establish the recommended configuration via GP, set the following UI path to include Success:
'Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Logon/Logoff\Audit Special Logon'
query:
# TODO No HKEY or OMA-URI for 17.5.x
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_17.5.6
contributors: rachelelysia
---
apiVersion: v1
kind: policy
spec:
name: >
CIS - Ensure 'Configure DNS over HTTPS (DoH) name resolution' is set to 'Enabled: Allow DoH' or higher
platforms: win11
platform: windows
description: |
This policy is meant for Windows 11.
This setting determines if DNS over HTTPS (DoH) is used by the system. DNS over HTTPS (DoH) is a protocol for performing remote Domain Name System (DNS) resolution over the Hypertext Transfer Protocol Secure (HTTPS). For additional information on DNS over HTTPS (DoH), visit: Secure DNS Client over HTTPS (DoH) on Windows Server 2022 | Microsoft Docs.
The recommended state for this setting is: 'Enabled: Allow DoH'. Configuring this setting to 'Enabled: Require DoH' also conforms to the benchmark.
resolution: |
To establish the recommended configuration via GP, set the following UI path to Enabled: Allow DoH (configuring to Enabled: Require DoH also conforms to the benchmark):
'Computer Configuration\Policies\Administrative Templates\Network\DNS Client\Configure DNS over HTTPS (DoH) name resolution'
query: |
SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\DoHPolicy' AND data IN (2,3));
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.5.4.1, CIS_not_completed
contributors: DefensiveDepth
---
apiVersion: v1
kind: policy
spec:
name: >
CIS - Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'
platforms: win10
platform: windows
description: |
Although this "legacy" setting traditionally applied to the use of Internet Connection Sharing (ICS) in Windows 2000, Windows XP & Server 2003, this setting now freshly applies to the Mobile Hotspot feature in Windows 10 & Server 2016.
The recommended state for this setting is: Enabled.
resolution: |
To establish the recommended configuration via GP, set the following UI path to On (recommended):
'Computer Configuration\Policies\Administrative Templates\Network\Network Connections\Prohibit use of Internet Connection Sharing on your DNS domain network'
query: |
SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections\NC_ShowSharedAccessUI' AND data = 0);
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.5.11.3
contributors: DefensiveDepth
---
apiVersion: v1
kind: policy
spec:
name: >
CIS - Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'
platforms: win10
platform: windows
description: |
This policy setting determines whether to require domain users to elevate when setting a network's location.
The recommended state for this setting is: Enabled.
resolution: |
To establish the recommended configuration via GP, set the following UI path to On (recommended):
'Computer Configuration\Policies\Administrative Templates\Network\Network Connections\Require domain users to elevate when setting a network's location'
query: |
SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections\NC_StdDomainUserSetLocation' AND data = 1);
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.5.11.4
contributors: DefensiveDepth
---
apiVersion: v1
kind: policy
spec:
name: >
CIS - Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'
platforms: win10
platform: windows
description: |
The "Process even if the Group Policy objects have not changed" option updates and reapplies policies even if the policies have not changed.
resolution: |
To establish the recommended configuration via GP, set the following UI path to Enabled, then set the Process even if the Group Policy objects have not changed option to TRUE (checked):
'Computer Configuration\Policies\Administrative Templates\System\Group Policy\Configure registry policy processing'
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template GroupPolicy.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
query: |
TBD
# Registry key wont change on edit (from 1 to 0)
# SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Group Policy\\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\NoGPOListChanges' AND data = 0);
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_not_completed, CIS_domain_joined_required, CIS_bullet_18.8.21.3, CIS_not_completed
contributors: rachelelysia
---
apiVersion: v1
kind: policy
spec:
name: >
CIS - Ensure 'Continue experiences on this device' is set to 'Disabled'
platforms: win10
platform: windows
description: |
This policy setting determines whether the Windows device is allowed to participate in cross-device experiences (continue experiences).
resolution: |
To establish the recommended configuration via GP, set the following UI path to Disabled:
'Computer Configuration\Policies\Administrative Templates\System\Group Policy\Continue experiences on this device'
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template GroupPolicy.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
query: |
TBD
# Registry key wont change on edit (from 1 to 0)
# SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\EnableCdp' AND data = 0);
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_not_completed, CIS_domain_joined_required, CIS_bullet_18.8.21.4, CIS_not_completed
contributors: rachelelysia
---
apiVersion: v1
kind: policy
spec:
name: >
CIS - Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'
platforms: win10
platform: windows
description: |
This policy setting prevents Group Policy from being updated while the computer is in use.
This policy setting applies to Group Policy for computers, users and Domain Controllers.
resolution: |
To establish the recommended configuration via GP, set the following UI path to Disabled:
'Computer Configuration\Policies\Administrative Templates\System\Group Policy\Turn off background refresh of Group Policy'
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template GroupPolicy.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
query: |
TBD
# DisableBkGndGroupPolicy registry path does not exist even with psexec.exe
# Untested: SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\DisableBkGndGroupPolicy' AND data = 0);
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_not_completed, CIS_domain_joined_required, CIS_bullet_18.8.21.5
contributors: rachelelysia
---
apiVersion: v1
kind: policy
spec:
name: >
CIS - Ensure 'Turn off cloud consumer account state content' is set to 'Enabled'
platforms: win10
platform: windows
description: |
This policy setting determines whether cloud consumer account state content is allowed in all Windows experiences.
resolution: |
To establish the recommended configuration via GP, set the following UI path to Enabled:
'Computer Configuration\Policies\Administrative Templates\Windows Components\Cloud Content\Turn off cloud consumer account state content'
query: |
# TBD
# 'Turn off cloud consumer account state content' does not exist in group policy editor even though CloudContent.admx exists and other policies exist
# Untested: Select 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\\Windows\\CloudContent\DisableConsumerAccountStateContent' AND data = 1);
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.14.1, CIS_not_completed
contributors: rachelelysia
---
apiVersion: v1
kind: policy
spec:
name: >
CIS - Ensure 'Disable OneSettings Downloads' is set to 'Enabled'
platforms: win11
platform: windows
description: |
This policy is meant for Windows 11.
This policy setting controls whether Windows attempts to connect with the OneSettings service to download configuration settings.
resolution: |
To establish the recommended configuration via GP, set the following UI path to Enabled:
'Computer Configuration\Policies\Administrative Templates\Windows Components\Data Collection and Preview Builds\Disable OneSettings Downloads'
query: |
# Untested on Win11: SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\DisableOneSettingsDownloads' AND data = 1);
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.17.3, CIS_not_completed
contributors: rachelelysia
---
apiVersion: v1
kind: policy
spec:
name: >
CIS - Ensure 'Enable OneSettings Auditing' is set to 'Enabled'
platforms: win11
platform: windows
description: |
This policy is meant for Windows 11.
This policy setting controls whether Windows records attempts to connect with the OneSettings service to the Operational EventLog.
resolution: |
To establish the recommended configuration via GP, set the following UI path to Enabled:
'Computer Configuration\Policies\Administrative Templates\Windows Components\Data Collection and Preview Builds\Enable OneSettings Auditing'
query: |
# Untested on Win11: SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\DataCollection\EnableOneSettingsAuditing' AND data = 1);
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.17.5, CIS_not_completed
contributors: rachelelysia
---
apiVersion: v1
kind: policy
spec:
name: >
CIS - Ensure 'Limit Diagnostic Log Collection' is set to 'Enabled'
platforms: win11
platform: windows
description: |
This policy is meant for Windows 11.
This policy setting controls whether additional diagnostic logs are collected when more information is needed to troubleshoot a problem on the device.
resolution: |
To establish the recommended configuration via GP, set the following UI path to Enabled:
'Computer Configuration\Policies\Administrative Templates\Windows Components\Data Collection and Preview Builds\Limit Diagnostic Log Collection'
query: |
# Untested on Win 11: SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\LimitDiagnosticLogCollection' AND data = 1);
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.17.6, CIS_not_completed
contributors: rachelelysia
---
apiVersion: v1
kind: policy
spec:
name: >
CIS - Ensure 'Limit Dump Collection' is set to 'Enabled'
platforms: win11
platform: windows
description: |
This policy is meant for Windows 11.
This policy setting limits the type of dumps that can be collected when more information is needed to troubleshoot a problem.
resolution: |
To establish the recommended configuration via GP, set the following UI path to Enabled.
'Computer Configuration\Policies\Administrative Templates\Windows Components\Data Collection and Preview Builds\Limit Dump Collection'
query: |
# Untested on Win 11: SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\LimitDumpCollection' AND data = 1);
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.17.7, CIS_not_completed
contributors: rachelelysia
---
apiVersion: v1
kind: policy
spec:
name: >
CIS - Ensure 'Join Microsoft MAPS' is set to 'Disabled'
platforms: win10
platform: windows
description: |
This policy setting allows you to join Microsoft Active Protection Service (MAPS), which Microsoft renamed to Windows Defender Antivirus Cloud Protection Service and then Microsoft Defender Antivirus Cloud Protection Service.
Microsoft MAPS / Microsoft Defender Antivirus Cloud Protection Service is the online community that helps you choose how to respond to potential threats.
resolution: |
To establish the recommended configuration via GP, set the following UI path to Enabled:
'Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus\MAPS\Join Microsoft MAPS'
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer).
query: |
# Recommended registry key does not exist
# SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Spynet\\SpynetReporting' AND data = 0);
purpose: Informational
tags: compliance, CIS, CIS_Level2, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.47.4.2
contributors: artemist-work
---
apiVersion: v1
kind: policy
spec:
name: >
CIS - Ensure 'Configure Attack Surface Reduction Rules' is set to 'Enabled'
platforms: win10
platform: windows
description: |
This policy setting controls the state for the Attack Surface Reduction (ASR) rules.
resolution: |
To establish the recommended configuration via GP, set the following UI path to Enabled:
'Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Attack Surface Reduction\Configure Attack Surface Reduction rules'
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).
query: |
# Recommended registry key does not exist
# SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\ExploitGuard_ASR_Rules' AND data = 1);
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.47.5.1.1
contributors: artemist-work
---
apiVersion: v1
kind: policy
spec:
name: >
CIS - Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured
platforms: win10
platform: windows
description: |
This policy setting sets the Attack Surface Reduction rules.
resolution: |
To establish the recommended configuration via GP, set the following UI path so that
26190899-1602-49e8-8b27-eb1d0a1ce869,
3b576869-a4ec-4529-8536-b80a7769e899,
5beb7efe-fd9a-4556-801d-275e5ffc04cc,
75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,
7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c,
92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,
9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2,
b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4,
be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,
d3e037e1-3eb8-44c8-a917-57927947596d,
d4f940ab-401b-4efc-aadc-ad5f3c50688a, and
e6db77e5-3df2-4cf1-b95a-636979351e5b are each set to a value of 1:
'Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Attack Surface Reduction\Configure Attack Surface Reduction rules: Set the state for each ASR rule'
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).
query: |
# Recommended registry keys do not exist
# SELECT 1 WHERE EXISTS (SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\ASR\\Rules\\26190899-1602-49e8-8b27-eb1d0a1ce869' AND data = 1)
# AND EXISTS (SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\ASR\\Rules\\3b576869-a4ec-4529-8536-b80a7769e899' AND data = 1)
# AND EXISTS (SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\ASR\\Rules\\5beb7efe-fd9a-4556-801d-275e5ffc04cc' AND data = 1)
# AND EXISTS (SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\ASR\\Rules\\75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84' AND data = 1)
# AND EXISTS (SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\ASR\\Rules\\7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c' AND data = 1)
# AND EXISTS (SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\ASR\\Rules\\92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b' AND data = 1)
# AND EXISTS (SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\ASR\\Rules\\9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2' AND data = 1)
# AND EXISTS (SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\ASR\\Rules\\b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4' AND data = 1)
# AND EXISTS (SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\ASR\\Rules\\be9ba2d9-53ea-4cdc-84e5-9b1eeee46550' AND data = 1)
# AND EXISTS (SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\ASR\\Rules\\d3e037e1-3eb8-44c8-a917-57927947596d' AND data = 1)
# AND EXISTS (SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\ASR\\Rules\\d4f940ab-401b-4efc-aadc-ad5f3c50688a' AND data = 1)
# AND EXISTS (SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\ASR\\Rules\\e6db77e5-3df2-4cf1-b95a-636979351e5b' AND data = 1);
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.47.5.1.2
contributors: artemist-work
---
apiVersion: v1
kind: policy
spec:
name: >
CIS - Ensure 'Enable file hash computation feature' is set to 'Enabled'
platforms: win10
platform: windows
description: |
This setting determines whether hash values are computed for files scanned by Microsoft Defender.
resolution: |
To establish the recommended configuration via GP, set the following UI path to 'Enabled':
'Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus\MpEngine\Enable file hash computation feature'
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).
query: |
# Recommended registry keys do not exist
# SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\MpEngine\\EnableFileHashComputation' AND data = 1);
purpose: Informational
tags: compliance, CIS, CIS_Level2, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.47.6.1
contributors: artemist-work
---
apiVersion: v1
kind: policy
spec:
name: >
CIS - Ensure 'Turn on script scanning' is set to 'Enabled'
platforms: win10
platform: windows
description: |
This policy setting allows script scanning to be turned on/off. Script scanning intercepts scripts then scans them before they are executed on the system.
The recommended state for this setting is: Enabled.
resolution: |
To establish the recommended configuration via GP, set the following UI path to 'Enabled':
'Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Real-Time Protection\Turn on script scanning'
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer).
query: |
SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableScriptScanning' AND data = 0);
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.47.9.4
contributors: sharon-fdm
---
apiVersion: v1
kind: policy
spec:
name: >
CIS - Ensure 'Allow UI Automation redirection' is set to 'Disabled'
platforms: win10
platform: windows
description: |
This policy setting determines whether User Interface (UI) Automation client applications running on the local computer can access UI elements on the server.
resolution: |
To establish the recommended configuration via GP, set the following UI path to 'Disabled':
'Computer Configuration\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Allow UI Automation redirection'
query: |
# Cannot test because UI path does not exist
SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services\\EnableUiaRedirection' AND data = 0);
purpose: Informational
tags: compliance, CIS, CIS_Level2, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.65.3.3.1
contributors: artemist-work
---
apiVersion: v1
kind: policy
spec:
name: >
CIS - Ensure 'Do not allow location redirection' is set to 'Enabled'
platforms: win10
platform: windows
description: |
This policy setting controls the redirection of location data to the remote computer in a Remote Desktop Services session.
resolution: |
To establish the recommended configuration via GP, set the following UI path to 'Enabled':
'Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection\Do not allow location redirection'
query: |
# Cannot test because UI path does not exist
SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services\\fDisableLocationRedir' AND data = 1);
purpose: Informational
tags: compliance, CIS, CIS_Level2, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.65.3.3.4
contributors: artemist-work
---
apiVersion: v1
kind: policy
spec:
name: >
CIS - Ensure 'Turn off Spotlight collection on Desktop' is set to 'Enabled'
platforms: win11
platform: windows
description: |
This policy is meant for Windows 11.
This policy setting removes the Spotlight collection setting in Personalization, rendering the user unable to select and subsequently download daily images from Microsoft to the system desktop.
resolution: |
To establish the recommended configuration via GP, set the following UI path to Enabled:
'User Configuration\Policies\Administrative Templates\Windows Components\Cloud Content\Turn off Spotlight collection on Desktop'
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CloudContent.admx/adml that is included with the Microsoft Windows 10 Release 21H2 Administrative Templates (or newer).
query: |
TODO
# Untested: SELECT 1 FROM registry WHERE (path LIKE 'HKEY_USERS\%\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\%\Software\Policies\Microsoft\Windows\CloudContent\DisableSpotlightCollectionOnDesktop' AND data = 1);
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_19.7.8.5, CIS_not_completed
contributors: rachelelysia

432
ee/cis/win-10/cis-policy-queries.yml
View file

@ -4487,6 +4487,26 @@ spec:
---
apiVersion: v1
kind: policy
spec:
name: >
CIS - Ensure 'Configure DNS over HTTPS (DoH) name resolution' is set to 'Enabled: Allow DoH' or higher
platforms: win11
platform: windows
description: |
This policy is meant for Windows 11.
This setting determines if DNS over HTTPS (DoH) is used by the system. DNS over HTTPS (DoH) is a protocol for performing remote Domain Name System (DNS) resolution over the Hypertext Transfer Protocol Secure (HTTPS). For additional information on DNS over HTTPS (DoH), visit: Secure DNS Client over HTTPS (DoH) on Windows Server 2022 | Microsoft Docs.
The recommended state for this setting is: 'Enabled: Allow DoH'. Configuring this setting to 'Enabled: Require DoH' also conforms to the benchmark.
resolution: |
To establish the recommended configuration via GP, set the following UI path to Enabled: Allow DoH (configuring to Enabled: Require DoH also conforms to the benchmark):
'Computer Configuration\Policies\Administrative Templates\Network\DNS Client\Configure DNS over HTTPS (DoH) name resolution'
query: |
SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\DoHPolicy' AND data = 2);
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.5.4.1
contributors: marcosd4h
---
apiVersion: v1
kind: policy
spec:
name: >
CIS - Ensure 'Turn off multicast name resolution' is set to 'Enabled'
@ -4620,6 +4640,44 @@ spec:
---
apiVersion: v1
kind: policy
spec:
name: >
CIS - Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'
platforms: win10
platform: windows
description: |
Although this "legacy" setting traditionally applied to the use of Internet Connection Sharing (ICS) in Windows 2000, Windows XP & Server 2003, this setting now freshly applies to the Mobile Hotspot feature in Windows 10 & Server 2016.
The recommended state for this setting is: Enabled.
resolution: |
To establish the recommended configuration via GP, set the following UI path to On (recommended):
'Computer Configuration\Policies\Administrative Templates\Network\Network Connections\Prohibit use of Internet Connection Sharing on your DNS domain network'
query: |
SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections\NC_ShowSharedAccessUI' AND data = 0);
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.5.11.3
contributors: marcosd4h
---
apiVersion: v1
kind: policy
spec:
name: >
CIS - Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'
platforms: win10
platform: windows
description: |
This policy setting determines whether to require domain users to elevate when setting a network's location.
The recommended state for this setting is: Enabled.
resolution: |
To establish the recommended configuration via GP, set the following UI path to On (recommended):
'Computer Configuration\Policies\Administrative Templates\Network\Network Connections\Require domain users to elevate when setting a network's location'
query: |
SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections\NC_StdDomainUserSetLocation' AND data = 1);
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.5.11.4
contributors: marcosd4h
---
apiVersion: v1
kind: policy
spec:
name: >
CIS - Ensure 'Allow Print Spooler to accept client connections' is set to 'Disabled'
@ -5035,6 +5093,69 @@ spec:
---
apiVersion: v1
kind: policy
spec:
name: >
CIS - Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'
platforms: win10
platform: windows
description: |
The "Process even if the Group Policy objects have not changed" option updates and reapplies policies even if the policies have not changed.
resolution: |
To establish the recommended configuration via GP, set the following UI path to Enabled, then set the Process even if the Group Policy objects have not changed option to TRUE (checked):
'Computer Configuration\Policies\Administrative Templates\System\Group Policy\Configure registry policy processing'
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template GroupPolicy.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
query: |
SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Group Policy\\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\NoGPOListChanges' AND data = 0);
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_domain_joined_required, CIS_bullet_18.8.21.3
contributors: marcosd4h
---
apiVersion: v1
kind: policy
spec:
name: >
CIS - Ensure 'Continue experiences on this device' is set to 'Disabled'
platforms: win10
platform: windows
description: |
This policy setting determines whether the Windows device is allowed to participate in cross-device experiences (continue experiences).
resolution: |
To establish the recommended configuration via GP, set the following UI path to Disabled:
'Computer Configuration\Policies\Administrative Templates\System\Group Policy\Continue experiences on this device'
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template GroupPolicy.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
query: |
SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\EnableCdp' AND data = 0);
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_domain_joined_required, CIS_bullet_18.8.21.4
contributors: marcosd4h
---
apiVersion: v1
kind: policy
spec:
name: >
CIS - Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'
platforms: win10
platform: windows
description: |
This policy setting prevents Group Policy from being updated while the computer is in use.
This policy setting applies to Group Policy for computers, users and Domain Controllers.
resolution: |
To establish the recommended configuration via GP, set the following UI path to Disabled:
'Computer Configuration\Policies\Administrative Templates\System\Group Policy\Turn off background refresh of Group Policy'
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template GroupPolicy.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
query: |
# The registry key is not present when policy is disabled, so query below is returning 1 when policy is disabled and registry value does not exist. It also return 1 in case policy is enabled and its registry value is 1
SELECT 1 WHERE (
NOT EXISTS ( SELECT 1 FROM registry WHERE key = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System' AND name = 'DisableBkGndGroupPolicy' )
) OR (
NOT EXISTS ( SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableBkGndGroupPolicy' AND data = 1 )
);
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_domain_joined_required, CIS_bullet_18.8.21.5
contributors: marcosd4h
---
apiVersion: v1
kind: policy
spec:
name: >
CIS - Ensure 'Turn off access to the Store' is set to 'Enabled'
@ -6778,6 +6899,26 @@ spec:
---
apiVersion: v1
kind: policy
spec:
name: >
CIS - Ensure 'Deny write access to removable drives not protected by BitLocker' is set to 'Enabled'
platforms: win10
platform: windows
description: |
This policy setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive.
All removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.
resolution: |
To establish the recommended configuration via GP, set the following UI path to Enabled:
'Computer Configuration\Policies\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives\Deny write access to removable drives not protected by BitLocker'
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template VolumeEncryption.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
query:
SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Policies\\Microsoft\\FVE\RDVDenyWriteAccess' AND data = 1);
purpose: Informational
tags: compliance, CIS, CIS_BitLocker, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.11.3.14
contributors: marcosd4h
---
apiVersion: v1
kind: policy
spec:
name: >
CIS - Ensure 'Deny write access to removable drives not protected by BitLocker: Do not allow write access to devices configured in another organization' is set to 'Enabled: False'
@ -6835,6 +6976,24 @@ spec:
---
apiVersion: v1
kind: policy
spec:
name: >
CIS - Ensure 'Turn off cloud consumer account state content' is set to 'Enabled'
platforms: win10
platform: windows
description: |
This policy setting determines whether cloud consumer account state content is allowed in all Windows experiences.
resolution: |
To establish the recommended configuration via GP, set the following UI path to Enabled:
'Computer Configuration\Policies\Administrative Templates\Windows Components\Cloud Content\Turn off cloud consumer account state content'
query: |
SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\\Windows\\CloudContent\DisableConsumerAccountStateContent' AND data = 1);
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.14.1
contributors: marcosd4h
---
apiVersion: v1
kind: policy
spec:
name: >
CIS - Ensure 'Turn off cloud optimized content' is set to 'Enabled'
@ -6983,6 +7142,25 @@ spec:
---
apiVersion: v1
kind: policy
spec:
name: >
CIS - Ensure 'Disable OneSettings Downloads' is set to 'Enabled'
platforms: win11
platform: windows
description: |
This policy is meant for Windows 11.
This policy setting controls whether Windows attempts to connect with the OneSettings service to download configuration settings.
resolution: |
To establish the recommended configuration via GP, set the following UI path to Enabled:
'Computer Configuration\Policies\Administrative Templates\Windows Components\Data Collection and Preview Builds\Disable OneSettings Downloads'
query: |
SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\DisableOneSettingsDownloads' AND data = 1);
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.17.3
contributors: marcosd4h
---
apiVersion: v1
kind: policy
spec:
name: >
CIS - Ensure 'Do not show feedback notifications' is set to 'Enabled'
@ -7001,6 +7179,63 @@ spec:
---
apiVersion: v1
kind: policy
spec:
name: >
CIS - Ensure 'Enable OneSettings Auditing' is set to 'Enabled'
platforms: win11
platform: windows
description: |
This policy is meant for Windows 11.
This policy setting controls whether Windows records attempts to connect with the OneSettings service to the Operational EventLog.
resolution: |
To establish the recommended configuration via GP, set the following UI path to Enabled:
'Computer Configuration\Policies\Administrative Templates\Windows Components\Data Collection and Preview Builds\Enable OneSettings Auditing'
query: |
SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\EnableOneSettingsAuditing' AND data = 1);
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.17.5
contributors: marcosd4h
---
apiVersion: v1
kind: policy
spec:
name: >
CIS - Ensure 'Limit Diagnostic Log Collection' is set to 'Enabled'
platforms: win11
platform: windows
description: |
This policy is meant for Windows 11.
This policy setting controls whether additional diagnostic logs are collected when more information is needed to troubleshoot a problem on the device.
resolution: |
To establish the recommended configuration via GP, set the following UI path to Enabled:
'Computer Configuration\Policies\Administrative Templates\Windows Components\Data Collection and Preview Builds\Limit Diagnostic Log Collection'
query: |
SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\LimitEnhancedDiagnosticDataWindowsAnalytics' AND data = 1);
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.17.6
contributors: marcosd4h
---
apiVersion: v1
kind: policy
spec:
name: >
CIS - Ensure 'Limit Dump Collection' is set to 'Enabled'
platforms: win11
platform: windows
description: |
This policy is meant for Windows 11.
This policy setting limits the type of dumps that can be collected when more information is needed to troubleshoot a problem.
resolution: |
To establish the recommended configuration via GP, set the following UI path to Enabled.
'Computer Configuration\Policies\Administrative Templates\Windows Components\Data Collection and Preview Builds\Limit Dump Collection'
query: |
SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\LimitDumpCollection' AND data = 1);
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.17.7
contributors: marcosd4h
---
apiVersion: v1
kind: policy
spec:
name: >
CIS - Ensure 'Toggle user control over Insider builds' is set to 'Disabled'
@ -7337,6 +7572,108 @@ spec:
---
apiVersion: v1
kind: policy
spec:
name: >
CIS - Ensure 'Join Microsoft MAPS' is set to 'Disabled'
platforms: win10
platform: windows
description: |
This policy setting allows you to join Microsoft Active Protection Service (MAPS), which Microsoft renamed to Windows Defender Antivirus Cloud Protection Service and then Microsoft Defender Antivirus Cloud Protection Service.
Microsoft MAPS / Microsoft Defender Antivirus Cloud Protection Service is the online community that helps you choose how to respond to potential threats.
resolution: |
To establish the recommended configuration via GP, set the following UI path to Enabled:
'Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus\MAPS\Join Microsoft MAPS'
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer).
query: |
# The registry key is not present when policy is disabled, so query below is returning 1 when policy is disabled and registry value does not exist. It also return 1 in case policy is enabled and its registry value is 1 or 2
SELECT 1 WHERE (
NOT EXISTS ( SELECT 1 FROM registry WHERE key = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Spynet' AND name = 'SpynetReporting' )
) OR (
NOT EXISTS ( SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Spynet\\SpynetReporting' AND data != 0 )
);
purpose: Informational
tags: compliance, CIS, CIS_Level2, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.47.4.2
contributors: marcosd4h
---
apiVersion: v1
kind: policy
spec:
name: >
CIS - Ensure 'Configure Attack Surface Reduction Rules' is set to 'Enabled'
platforms: win10
platform: windows
description: |
This policy setting controls the state for the Attack Surface Reduction (ASR) rules.
resolution: |
To establish the recommended configuration via GP, set the following UI path to Enabled:
'Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Attack Surface Reduction\Configure Attack Surface Reduction rules'
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).
query: |
SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\ASR\\ExploitGuard_ASR_Rules' AND data = 1);
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.47.5.1.1
contributors: marcosd4h
---
apiVersion: v1
kind: policy
spec:
name: >
CIS - Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured
platforms: win10
platform: windows
description: |
This policy setting sets the Attack Surface Reduction rules.
resolution: |
To establish the recommended configuration via GP, set the following UI path so that
26190899-1602-49e8-8b27-eb1d0a1ce869,
3b576869-a4ec-4529-8536-b80a7769e899,
5beb7efe-fd9a-4556-801d-275e5ffc04cc,
75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,
7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c,
92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,
9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2,
b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4,
be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,
d3e037e1-3eb8-44c8-a917-57927947596d,
d4f940ab-401b-4efc-aadc-ad5f3c50688a, and
e6db77e5-3df2-4cf1-b95a-636979351e5b are each set to a value of 1:
'Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Attack Surface Reduction\Configure Attack Surface Reduction rules: Set the state for each ASR rule'
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).
query: |
SELECT 1
WHERE EXISTS (
SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\ASR\\ExploitGuard_ASR_Rules' AND data = 1
) AND EXISTS (
SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\ASR\\Rules\\26190899-1602-49e8-8b27-eb1d0a1ce869' AND data = 1
) AND EXISTS (
SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\ASR\\Rules\\3b576869-a4ec-4529-8536-b80a7769e899' AND data = 1
) AND EXISTS (
SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\ASR\\Rules\\5beb7efe-fd9a-4556-801d-275e5ffc04cc' AND data = 1
) AND EXISTS (
SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\ASR\\Rules\\75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84' AND data = 1
) AND EXISTS (
SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\ASR\\Rules\\7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c' AND data = 1
) AND EXISTS (
SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\ASR\\Rules\\92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b' AND data = 1
) AND EXISTS (
SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\ASR\\Rules\\9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2' AND data = 1
) AND EXISTS (
SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\ASR\\Rules\\b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4' AND data = 1
) AND EXISTS (
SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\ASR\\Rules\\be9ba2d9-53ea-4cdc-84e5-9b1eeee46550' AND data = 1
) AND EXISTS (
SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\ASR\\Rules\\d3e037e1-3eb8-44c8-a917-57927947596d' AND data = 1
) AND EXISTS (
SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\ASR\\Rules\\d4f940ab-401b-4efc-aadc-ad5f3c50688a' AND data = 1
) AND EXISTS (
SELECT 1 FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\ASR\\Rules\\e6db77e5-3df2-4cf1-b95a-636979351e5b' AND data = 1
);
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.47.5.1.2
contributors: marcosd4h
---
apiVersion: v1
kind: policy
spec:
name: >
CIS - Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'
@ -7375,6 +7712,25 @@ spec:
---
apiVersion: v1
kind: policy
spec:
name: >
CIS - Ensure 'Enable file hash computation feature' is set to 'Enabled'
platforms: win10
platform: windows
description: |
This setting determines whether hash values are computed for files scanned by Microsoft Defender.
resolution: |
To establish the recommended configuration via GP, set the following UI path to 'Enabled':
'Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus\MpEngine\Enable file hash computation feature'
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).
query: |
SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\MpEngine\\EnableFileHashComputation' AND data = 1);
purpose: Informational
tags: compliance, CIS, CIS_Level2, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.47.6.1
contributors: marcosd4h
---
apiVersion: v1
kind: policy
spec:
name: >
CIS - Ensure 'Scan all downloaded files and attachments' is set to 'Enabled'
@ -7436,6 +7792,26 @@ spec:
---
apiVersion: v1
kind: policy
spec:
name: >
CIS - Ensure 'Turn on script scanning' is set to 'Enabled'
platforms: win10
platform: windows
description: |
This policy setting allows script scanning to be turned on/off. Script scanning intercepts scripts then scans them before they are executed on the system.
The recommended state for this setting is: Enabled.
resolution: |
To establish the recommended configuration via GP, set the following UI path to 'Enabled':
'Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Real-Time Protection\Turn on script scanning'
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer).
query: |
SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableScriptScanning' AND data = 0);
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.47.9.4
contributors: marcosd4h
---
apiVersion: v1
kind: policy
spec:
name: >
CIS - Ensure 'Configure Watson events' is set to 'Disabled'
@ -7714,6 +8090,42 @@ spec:
---
apiVersion: v1
kind: policy
spec:
name: >
CIS - Ensure 'Allow UI Automation redirection' is set to 'Disabled'
platforms: win10
platform: windows
description: |
This policy setting determines whether User Interface (UI) Automation client applications running on the local computer can access UI elements on the server.
resolution: |
To establish the recommended configuration via GP, set the following UI path to 'Disabled':
'Computer Configuration\\Administrative Templates\\Windows Components\\Remote Desktop Services\\Remote Desktop Session Host\\Device and Resource Redirection\\Allow UI Automation redirection'
query: |
SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services\\EnableUiaRedirection' AND data = 0);
purpose: Informational
tags: compliance, CIS, CIS_Level2, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.65.3.3.1
contributors: marcosd4h
---
apiVersion: v1
kind: policy
spec:
name: >
CIS - Ensure 'Do not allow location redirection' is set to 'Enabled'
platforms: win10
platform: windows
description: |
This policy setting controls the redirection of location data to the remote computer in a Remote Desktop Services session.
resolution: |
To establish the recommended configuration via GP, set the following UI path to 'Enabled':
'Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection\Do not allow location redirection'
query: |
SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services\\fDisableLocationRedir' AND data = 1);
purpose: Informational
tags: compliance, CIS, CIS_Level2, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.65.3.3.4
contributors: marcosd4h
---
apiVersion: v1
kind: policy
spec:
name: >
CIS - Ensure 'Prevent downloading of enclosures' is set to 'Enabled'
@ -9011,6 +9423,26 @@ spec:
---
apiVersion: v1
kind: policy
spec:
name: >
CIS - Ensure 'Turn off Spotlight collection on Desktop' is set to 'Enabled'
platforms: win11
platform: windows
description: |
This policy is meant for Windows 11.
This policy setting removes the Spotlight collection setting in Personalization, rendering the user unable to select and subsequently download daily images from Microsoft to the system desktop.
resolution: |
To establish the recommended configuration via GP, set the following UI path to Enabled:
'User Configuration\Policies\Administrative Templates\Windows Components\Cloud Content\Turn off Spotlight collection on Desktop'
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CloudContent.admx/adml that is included with the Microsoft Windows 10 Release 21H2 Administrative Templates (or newer).
query: |
SELECT 1 FROM registry WHERE (path LIKE 'HKEY_USERS\%\SOFTWARE\Policies\Microsoft\Windows\CloudContent\DisableSpotlightCollectionOnDesktop' AND data = 1);
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_19.7.8.5
contributors: marcosd4h
---
apiVersion: v1
kind: policy
spec:
name: >
CIS - Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled'