diff --git a/ee/cis/win-10/cis-policy-queries.yml b/ee/cis/win-10/cis-policy-queries.yml index 20f8b6c914..373f215d79 100644 --- a/ee/cis/win-10/cis-policy-queries.yml +++ b/ee/cis/win-10/cis-policy-queries.yml @@ -2272,6 +2272,158 @@ spec: --- apiVersion: v1 kind: policy +spec: + name: > + CIS - Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)' + platforms: win10 + platform: windows + description: | + Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. + The recommended state for this setting is: On (recommended). + resolution: | + To establish the recommended configuration via GP, set the following UI path to On (recommended): + 'Computer Configuration\Policies\Windows Settings\Security Settings\Windows Defender Firewall with Advanced Security\Windows Defender Firewall with Advanced Security - Local Group Policy Object\Windows Defender Firewall Properties\Domain Profile\Firewall state' + query: | + SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\EnableFirewall' and data = 1); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_9.1.1 + contributors: DefensiveDepth +--- +apiVersion: v1 +kind: policy +spec: + name: > + CIS - Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)' + platforms: win10 + platform: windows + description: | + This setting determines the behavior for inbound connections that do not match an inbound firewall rule. + The recommended state for this setting is: Block (default). + resolution: | + To establish the recommended configuration via GP, set the following UI path to Block (default): + 'Computer Configuration\Policies\Windows Settings\Security Settings\Windows Defender Firewall with Advanced Security\Windows Defender Firewall with Advanced Security - Local Group Policy Object\Windows Defender Firewall Properties\Domain Profile\Inbound connections' + query: | + SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\SOFTWARE\\Policies\\Microsoft\WindowsFirewall\DomainProfile\DefaultInboundAction' and data = 1); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_9.1.2 + contributors: DefensiveDepth +--- +apiVersion: v1 +kind: policy +spec: + name: > + CIS - Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)' + platforms: win10 + platform: windows + description: | + This setting determines the behavior for outbound connections that do not match an outbound firewall rule. + The recommended state for this setting is: Allow (default). + resolution: | + To establish the recommended configuration via GP, set the following UI path to Allow (default): + 'Computer Configuration\Policies\Windows Settings\Security Settings\Windows Defender Firewall with Advanced Security\Windows Defender Firewall with Advanced Security - Local Group Policy Object\Windows Defender Firewall Properties\Domain Profile\Outbound connections' + query: | + SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\\Microsoft\WindowsFirewall\DomainProfile\DefaultOutboundAction' and data = 0); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_9.1.3 + contributors: DefensiveDepth +--- +apiVersion: v1 +kind: policy +spec: + name: > + CIS - Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No' + platforms: win10 + platform: windows + description: | + Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. + The recommended state for this setting is: No. + resolution: | + To establish the recommended configuration via GP, set the following UI path to 'No': + 'Computer Configuration\Policies\Windows Settings\Security Settings\Windows Defender Firewall with Advanced Security\Windows Defender Firewall with Advanced Security - Local Group Policy Object\Windows Defender Firewall Properties\Domain Profile\Settings Customize\Display a notification' + query: | + SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\DisableNotifications' and data = 1); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_9.1.4 + contributors: DefensiveDepth +--- +apiVersion: v1 +kind: policy +spec: + name: > + CIS - Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\domainfw.log' + platforms: win10 + platform: windows + description: | + Use this option to specify the path and name of the file in which Windows Firewall will write its log information. + The recommended state for this setting is: %SystemRoot%\System32\logfiles\firewall\domainfw.log. + resolution: | + To establish the recommended configuration via GP, set the following UI path to %SystemRoot%\System32\logfiles\firewall\domainfw.log: + 'Computer Configuration\Policies\Windows Settings\Security Settings\Windows Defender Firewall with Advanced Security\Windows Defender Firewall with Advanced Security - Local Group Policy Object\Windows Defender Firewall Properties\Domain Profile\Logging Customize\Name' + query: | + SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging\LogFilePath' and data = '%SystemRoot%\System32\logfiles\firewall\domainfw.log'); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_9.1.5 + contributors: DefensiveDepth +--- +apiVersion: v1 +kind: policy +spec: + name: > + CIS - Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater' + platforms: win10 + platform: windows + description: | + Use this option to specify the size limit of the file in which Windows Firewall will write its log information. + The recommended state for this setting is: 16,384 KB or greater. + resolution: | + To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: + 'Computer Configuration\Policies\Windows Settings\Security Settings\Windows Defender Firewall with Advanced Security\Windows Defender Firewall with Advanced Security - Local Group Policy Object\Windows Defender Firewall Properties\Domain Profile\Logging Customize\Size limit (KB)' + query: | + SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\\Microsoft\WindowsFirewall\DomainProfile\Logging\LogFileSize' and CAST(data as integer) >= 16384 ); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_9.1.6 + contributors: DefensiveDepth +--- +apiVersion: v1 +kind: policy +spec: + name: > + CIS - Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes' + platforms: win10 + platform: windows + description: | + Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. + The recommended state for this setting is: Yes. + resolution: | + To establish the recommended configuration via GP, set the following UI path to Yes: + 'Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Domain Profile\Logging Customize\Log dropped packets' + query: | + SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging\LogDroppedPackets' and data == 1); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_9.1.7 + contributors: DefensiveDepth +--- +apiVersion: v1 +kind: policy +spec: + name: > + CIS - Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes' + platforms: win10 + platform: windows + description: | + Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. + The recommended state for this setting is: Yes. + resolution: | + To establish the recommended configuration via GP, set the following UI path to Yes. + 'Computer Configuration\Policies\Windows Settings\Security Settings\Windows Defender Firewall with Advanced Security\Windows Defender Firewall with Advanced Security - Local Group Policy Object\Windows Defender Firewall Properties\Domain Profile\Logging Customize\Log successful connections' + query: | + SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging\LogSuccessfulConnections' and data = 1 ); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_9.1.8 + contributors: DefensiveDepth +--- +apiVersion: v1 +kind: policy spec: name: > CIS - Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'