From 518cbecfbfc3904aebe0d952329ac55e258340ea Mon Sep 17 00:00:00 2001 From: Marcos Oviedo Date: Thu, 23 Mar 2023 17:54:16 -0300 Subject: [PATCH] cis18.9.100.x to cis18.9.102.x (#10717) This relates to #10365 --- ee/cis/win-10/cis-policy-queries.yml | 167 +++++++++++++++++++++++++++ 1 file changed, 167 insertions(+) diff --git a/ee/cis/win-10/cis-policy-queries.yml b/ee/cis/win-10/cis-policy-queries.yml index f049d55a21..a63520553b 100644 --- a/ee/cis/win-10/cis-policy-queries.yml +++ b/ee/cis/win-10/cis-policy-queries.yml @@ -5488,6 +5488,173 @@ spec: --- apiVersion: v1 kind: policy +spec: + name: > + CIS - Ensure 'Turn on PowerShell Script Block Logging' is set to 'Enabled' + platforms: win10 + platform: windows + description: | + This policy setting enables logging of all PowerShell script input to the Applications and Services Logs\Microsoft\Windows\PowerShell\Operational Event Log channel. + resolution: | + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + 'Computer Configuration\Policies\Administrative Templates\Windows Components\Windows PowerShell\Turn on PowerShell Script Block Logging' + Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PowerShellExecutionPolicy.admx that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer). + query: | + SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\\EnableScriptBlockLogging' AND data = 1); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.100.1 + contributors: marcosd4h +--- +apiVersion: v1 +kind: policy +spec: + name: > + CIS - Ensure 'Turn on PowerShell Transcription' is set to 'Disabled' + platforms: win10 + platform: windows + description: | + This Policy setting lets you capture the input and output of Windows PowerShell commands into text-based transcripts. + resolution: | + To establish the recommended configuration via GP, set the following UI path to 'Disabled': + 'Computer Configuration\Policies\Administrative Templates\Windows Components\Windows PowerShell\Turn on PowerShell Transcription' + Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PowerShellExecutionPolicy.admx that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer). + query: | + SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\Transcription\\EnableTranscripting' AND data = 0); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.100.2 + contributors: marcosd4h +--- +apiVersion: v1 +kind: policy +spec: + name: > + CIS - Ensure 'Allow Basic authentication' is set to 'Disabled' + platforms: win10 + platform: windows + description: | + This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication. + resolution: | + To establish the recommended configuration via GP, set the following UI path to 'Disabled': + 'Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Client\Allow Basic authentication' + query: | + SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Client\\AllowBasic' AND data = 0); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.102.1.1 + contributors: marcosd4h +--- +apiVersion: v1 +kind: policy +spec: + name: > + CIS - Ensure 'Allow unencrypted traffic' is set to 'Disabled' + platforms: win10 + platform: windows + description: | + This policy setting allows you to manage whether the Windows Remote Management (WinRM) client sends and receives unencrypted messages over the network. + resolution: | + To establish the recommended configuration via GP, set the following UI path to 'Disabled': + 'Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Client\Allow unencrypted traffic' + query: | + SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Client\\AllowUnencryptedTraffic' AND data = 0); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.102.1.2 + contributors: marcosd4h +--- +apiVersion: v1 +kind: policy +spec: + name: > + CIS - Ensure 'Disallow Digest authentication' is set to 'Enabled' + platforms: win10 + platform: windows + description: | + This policy setting allows you to manage whether the Windows Remote Management (WinRM) client will not use Digest authentication. + resolution: | + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + 'Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Client\Disallow Digest authentication' + query: | + SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Client\\AllowDigest' AND data = 0); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.102.1.3 + contributors: marcosd4h +--- +apiVersion: v1 +kind: policy +spec: + name: > + CIS - Ensure 'Allow Basic authentication' is set to 'Disabled' + platforms: win10 + platform: windows + description: | + This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Basic authentication from a remote client. + resolution: | + To establish the recommended configuration via GP, set the following UI path to 'Disabled': + 'Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Service\Allow Basic authentication' + query: | + SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Service\\AllowBasic' AND data = 0); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.102.2.1 + contributors: marcosd4h +--- +apiVersion: v1 +kind: policy +spec: + name: > + CIS - Ensure 'Allow remote server management through WinRM' is set to 'Disabled' + platforms: win10 + platform: windows + description: | + This policy setting allows you to manage whether the Windows Remote Management (WinRM) service + automatically listens on the network for requests on the HTTP transport over the default HTTP + port. + resolution: | + To establish the recommended configuration via GP, set the following UI path to 'Disabled': + 'Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Service\Allow remote server management through WinRM' + query: | + SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Service\\AllowAutoConfig' AND data = 0); + purpose: Informational + tags: compliance, CIS, CIS_Level2, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.102.2.2 + contributors: marcosd4h +--- +apiVersion: v1 +kind: policy +spec: + name: > + CIS - Ensure 'Allow unencrypted traffic' is set to 'Disabled' + platforms: win10 + platform: windows + description: | + This policy setting allows you to manage whether the Windows Remote Management (WinRM) service sends and receives unencrypted messages over the network. + resolution: | + To establish the recommended configuration via GP, set the following UI path to 'Disabled': + 'Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Service\Allow unencrypted traffic' + query: | + SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Service\\AllowUnencryptedTraffic' AND data = 0); + purpose: Informational + tags: compliance, CIS, CIS_Level2, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.102.2.3 + contributors: marcosd4h +--- +apiVersion: v1 +kind: policy +spec: + name: > + CIS - Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled' + platforms: win10 + platform: windows + description: | + This policy setting allows you to manage whether the Windows Remote Management (WinRM) service will allow RunAs credentials to be stored for any plug-ins. + resolution: | + To establish the recommended configuration via GP, set the following UI path to 'Enabled': + 'Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Service\Disallow WinRM from storing RunAs credentials' + Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsRemoteManagement.admx that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer) + query: | + SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Service\\DisableRunAs' AND data = 1); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.102.2.4 + contributors: marcosd4h +--- +apiVersion: v1 +kind: policy spec: name: > CIS - Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'