Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-24 01:18:42 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 59

Pushing CIS policy checks for 2.3.1.x to 2.3.7.x (#9902)

Browse source 
This relates to #9850
This commit is contained in:
Marcos Oviedo 2023-02-23 14:04:23 -03:00 committed by GitHub
parent 549a7c7fd8
commit 7e95c52213
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
25 changed files with 773 additions and 19 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

360
ee/cis/win-10/cis-policy-queries.yml
View file

@ -1,5 +1,5 @@
---
# The latest version of CIS Benchmarks for Windows 10 standalone is version 1.0.1
# The latest version of CIS Benchmarks for Windows 10 Enterprise is version 1.12.0
apiVersion: v1
kind: policy
spec:
@ -15,7 +15,7 @@ spec:
query: |
SELECT 1 FROM security_profile_info WHERE password_history_size >= 24;
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS-win10-stand-alone-1.1.1
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_1.1.1
contributors: marcosd4h
---
apiVersion: v1
@ -28,13 +28,12 @@ spec:
This policy setting defines how long a user can use their password before it expires.
resolution: |
Automatic method:
Ask your system administrator to establish the recommended configuration via GP, set the
following UI path to 365 or fewer days, but not 0:
Ask your system administrator to establish the recommended configuration via GP, set the following UI path to 365 or fewer days, but not 0:
'Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Maximum password age'
query: |
SELECT 1 FROM security_profile_info WHERE (maximum_password_age <= 365 AND maximum_password_age != 0);
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS-win10-stand-alone-1.1.2
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_1.1.2
contributors: marcosd4h
---
apiVersion: v1
@ -48,13 +47,12 @@ spec:
change it. The range of values for this policy setting is between 1 and 999 days.
resolution: |
Automatic method:
Ask your system administrator to establish the recommended configuration via GP, set the
following UI path to 1 or more days:
Ask your system administrator to establish the recommended configuration via GP, set the following UI path to 1 or more days:
'Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Minimum password age'
query: |
SELECT 1 FROM security_profile_info WHERE minimum_password_age >= 1;
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS-win10-stand-alone-1.1.3
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_1.1.3
contributors: marcosd4h
---
apiVersion: v1
@ -67,13 +65,12 @@ spec:
This policy setting determines the least number of characters that make up a password for a user account.
resolution: |
Automatic method:
Ask your system administrator to establish the recommended configuration via GP, set the
following UI path to 14 or more characters
Ask your system administrator to establish the recommended configuration via GP, set the following UI path to 14 or more characters
'Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Minimum password length'
query: |
SELECT 1 FROM security_profile_info WHERE minimum_password_length >= 14;
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS-win10-stand-alone-1.1.4
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_1.1.4
contributors: marcosd4h
---
apiVersion: v1
@ -88,13 +85,12 @@ spec:
discover with several publicly available tools.
resolution: |
Automatic method:
Ask your system administrator to establish the recommended configuration via GP, set the
following UI path to 'Enabled':
Ask your system administrator to establish the recommended configuration via GP, set the following UI path to 'Enabled':
'Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Password must meet complexity requirements'
query: |
SELECT 1 FROM security_profile_info WHERE password_complexity = 1;
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS-win10-stand-alone-1.1.5
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_1.1.5
contributors: marcosd4h
---
apiVersion: v1
@ -107,13 +103,12 @@ spec:
This policy setting determines whether the minimum password length setting can be increased beyond the legacy limit of 14 characters.
resolution: |
Automatic method:
Ask your system administrator to establish the recommended configuration via GP, set the
following UI path to 'Enabled':
Ask your system administrator to establish the recommended configuration via GP, set the following UI path to 'Enabled':
'Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Relax minimum password length limits'
query: |
SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SAM\\RelaxMinimumPasswordLengthLimits' AND data != 0);
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS-win10-stand-alone-1.1.6
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_1.1.6
contributors: marcosd4h
---
apiVersion: v1
@ -134,5 +129,332 @@ spec:
query: |
SELECT 1 FROM security_profile_info WHERE clear_text_password = 0;
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS-win10-stand-alone-1.1.7
contributors: marcosd4h
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_1.1.7
contributors: marcosd4h
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure 'Accounts Administrator account status' is set to 'Disabled'
platforms: win10
platform: windows
description: |
This policy setting enables or disables the Administrator account during normal operation.
resolution: |
Automatic method:
Ask your system administrator to establish the recommended configuration via GP, set the following UI path to 'Disabled':
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Administrator account status'
query: |
SELECT 1 FROM mdm_bridge where mdm_command_input = "<SyncBody><Get><CmdID>1</CmdID><Item><Target><LocURI>./Device/Vendor/MSFT/Policy/Result/LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus</LocURI></Target></Item></Get></SyncBody>" AND mdm_command_output == 0;
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.3.1.1
contributors: marcosd4h
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure 'Accounts Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'
platforms: win10
platform: windows
description: |
This policy setting prevents users from adding new Microsoft accounts on this computer.
resolution: |
Automatic method:
Ask your system administrator to establish the recommended configuration via GP, set the following UI path to 'Users can't add or log on with Microsoft account':
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Block Microsoft accounts'
query: |
SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\NoConnectedUser' AND data == 3);
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.3.1.2
contributors: marcosd4h
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure 'Accounts Guest account status' is set to 'Disabled'
platforms: win10
platform: windows
description: |
This policy setting determines whether the Guest account is enabled or disabled. The Guest account allows unauthenticated network users to gain access to the system.
resolution: |
Automatic method:
Ask your system administrator to establish the recommended configuration via GP, set the following UI path to 'Disabled':
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Guest account status'
query: |
SELECT 1 FROM mdm_bridge where mdm_command_input = "<SyncBody><Get><CmdID>1</CmdID><Item><Target><LocURI>./Device/Vendor/MSFT/Policy/Result/LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus</LocURI></Target></Item></Get></SyncBody>" and mdm_command_output == 0;
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.3.1.3
contributors: marcosd4h
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure 'Accounts Limit local account use of blank passwords to console logon only' is set to 'Enabled'
platforms: win10
platform: windows
description: |
This policy setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console.
resolution: |
Automatic method:
Ask your system administrator to establish the recommended configuration via GP, set the following UI path to 'Enabled':
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Limit local account use of blank passwords to console logon only'
query: |
SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\LimitBlankPasswordUse' AND data == 1);
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.3.1.4
contributors: marcosd4h
---
apiVersion: v1
kind: policy
spec:
name: CIS - Configure 'Accounts Rename administrator account'
platforms: win10
platform: windows
description: |
The built-in local administrator account is a well-known account name that attackers will
target. It is recommended to choose another name for this account, and to avoid names that
denote administrative or elevated access accounts.
resolution: |
Automatic method:
Ask your system administrator to establish the recommended configuration via GP, set the following UI path to value different than 'Administrator':
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Rename administrator account'
query: |
SELECT 1 FROM mdm_bridge where mdm_command_input = "<SyncBody><Get><CmdID>1</CmdID><Item><Target><LocURI>./Device/Vendor/MSFT/Policy/Result/LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount</LocURI></Target></Item></Get></SyncBody>" and mdm_command_output != "Administrator";
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.3.1.5
contributors: marcosd4h
---
apiVersion: v1
kind: policy
spec:
name: CIS - Configure 'Accounts Rename guest account'
platforms: win10
platform: windows
description: |
The built-in local guest account is another well-known name to attackers. It is recommended to
rename this account to something that does not indicate its purpose. Even if you disable this
account, which is recommended, ensure that you rename it for added security.
resolution: |
Automatic method:
Ask your system administrator to establish the recommended configuration via GP, set the following UI path to value different than 'Guest':
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Rename guest account'
query: |
SELECT 1 FROM mdm_bridge where mdm_command_input = "<SyncBody><Get><CmdID>1</CmdID><Item><Target><LocURI>./Device/Vendor/MSFT/Policy/Result/LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount</LocURI></Target></Item></Get></SyncBody>" and mdm_command_output != "Guest";
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.3.1.6
contributors: marcosd4h
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure 'Audit Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'
platforms: win10
platform: windows
description: |
This policy setting allows administrators to enable the more precise auditing capabilities.
resolution: |
Automatic method:
Ask your system administrator to establish the recommended configuration via GP, set the following UI path to 'Enabled':
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings'
query: |
SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\SCENoApplyLegacyAuditPolicy' AND data == 1);
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.3.2.1
contributors: marcosd4h
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure 'Audit Shut down system immediately if unable to log security audits' is set to 'Disabled'
platforms: win10
platform: windows
description: |
This policy setting determines whether the system shuts down if it is unable to log Security
events. It is a requirement for Trusted Computer System Evaluation Criteria (TCSEC)-C2 and
Common Criteria certification to prevent auditable events from occurring if the audit system is
unable to log them.
resolution: |
Automatic method:
Ask your system administrator to establish the recommended configuration via GP, set the following UI path to 'Disabled':
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Audit: Shut down system immediately if unable to log security audits'
query: |
SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\crashonauditfail' AND data == 0);
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.3.2.2
contributors: marcosd4h
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure 'Devices Prevent users from installing printer drivers' is set to 'Enabled'
platforms: win10
platform: windows
description: |
For a computer to print to a shared printer, the driver for that shared printer must be
installed on the local computer. This security setting determines who is allowed to install a
printer driver as part of connecting to a shared printer.
resolution: |
Automatic method:
Ask your system administrator to establish the recommended configuration via GP, set the following UI path to 'Enabled':
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Devices: Prevent users from installing printer drivers'
query: |
SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Print\\Providers\\LanManPrint Services\\Servers\\AddPrinterDrivers' AND data == 1);
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.3.4.1
contributors: marcosd4h
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure 'Interactive logon Do not require CTRL+ALT+DEL' is set to 'Disabled'
platforms: win10
platform: windows
description: |
This policy setting determines whether users must press CTRL+ALT+DEL before they log on.
resolution: |
Automatic method:
Ask your system administrator to establish the recommended configuration via GP, set the following UI path to 'Disabled':
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Do not require CTRL+ALT+DEL'
query: |
SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableCAD' AND data == 0);
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.3.7.1
contributors: marcosd4h
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure 'Interactive logon Don't display last signed-in' is set to 'Enabled'
platforms: win10
platform: windows
description: |
This policy setting determines whether the account name of the last user to log on to the client
computers in your organization will be displayed in each computer's respective Windows logon
screen.
resolution: |
Automatic method:
Ask your system administrator to establish the recommended configuration via GP, set the following UI path to 'Enabled':
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Don't display last signed-in'
query: |
SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\dontdisplaylastusername' AND data == 1);
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.3.7.2
contributors: marcosd4h
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure 'Interactive logon Machine account lockout threshold' is set to '10 or fewer invalid logon attempts, but not 0'
platforms: win10
platform: windows
description: |
This security setting determines the number of failed logon attempts that causes the machine to be locked out.
resolution: |
Automatic method:
Ask your system administrator to establish the recommended configuration via GP, set the following UI path to '10 or fewer invalid logon attempts, but not 0':
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Machine account lockout threshold'
query: |
SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\MaxDevicePasswordFailedAttempts' AND data <= 10 AND data != 0);
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.3.7.3
contributors: marcosd4h
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure 'Interactive logon Machine inactivity limit' is set to '900 or fewer second(s), but not 0'
platforms: win10
platform: windows
description: |
Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session.
resolution: |
Automatic method:
Ask your system administrator to establish the recommended configuration via GP, set the following UI path to '900 or fewer seconds, but not 0':
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Machine inactivity limit'
query: |
SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\InactivityTimeoutSecs' AND data <= 900 AND data != 0);
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.3.7.4
contributors: marcosd4h
---
apiVersion: v1
kind: policy
spec:
name: CIS - Configure 'Interactive logon Message text for users attempting to log on'
platforms: win10
platform: windows
description: |
This policy setting specifies a text message that displays to users when they log on. Set the
following group policy to a value that is consistent with the security and operational
requirements of your organization.
resolution: |
Automatic method:
Ask your system administrator to establish the recommended configuration via GP, set the following UI path to a value that is consistent with the security and operational requirements
of your organization:
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Message text for users attempting to log on'
query: |
SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\legalnoticetext' AND data != "");
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.3.7.5
contributors: marcosd4h
---
apiVersion: v1
kind: policy
spec:
name: CIS - Configure 'Interactive logon Message title for users attempting to log on'
platforms: win10
platform: windows
description: |
This policy setting specifies the text displayed in the title bar of the window that users see
when they log on to the system. Configure this setting in a manner that is consistent with the
security and operational requirements of your organization.
resolution: |
Automatic method:
Ask your system administrator to establish the recommended configuration via GP, set the following UI path to a value that is consistent with the security and operational requirements
of your organization:
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Message title for users attempting to log on'
query: |
SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\legalnoticecaption' AND data != "");
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.3.7.6
contributors: marcosd4h
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure 'Interactive logon Prompt user to change password before expiration' is set to 'between 5 and 14 days'
platforms: win10
platform: windows
description: |
This policy setting specifies the text displayed in the title bar of the window that users see
when they log on to the system. Configure this setting in a manner that is consistent with the
security and operational requirements of your organization.
resolution: |
Automatic method:
Ask your system administrator to establish the recommended configuration via GP, set the following UI path to a value 'between 5 and 14 days':
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Prompt user to change password before expiration'
query: |
SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\PasswordExpiryWarning' AND CAST(data AS INTEGER) >= 5 AND CAST(data AS INTEGER) <= 14);
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.3.7.7
contributors: marcosd4h
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure 'Interactive logon Smart card removal behavior' is set to 'Lock Workstation' or higher
platforms: win10
platform: windows
description: |
This policy setting determines what happens when the smart card for a logged-on user is removed from the smart card reader.
resolution: |
Automatic method:
Ask your system administrator to establish the recommended configuration via GP, set the
following UI path to 'Lock Workstation (or, if applicable for your environment, Force Logoff or Disconnect if a Remote Desktop Services session)':
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Smart card removal behavior'
query: |
SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\scremoveoption' AND CAST(data AS INTEGER) >= 1 AND CAST(data AS INTEGER) <= 3);
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.3.7.8
contributors: marcosd4h
---

18
ee/cis/win-10/test/instructions/CIS_1.1.1.txt Normal file
View file

@ -0,0 +1,18 @@
Expected scenario
==================
1) Open "Edit Group Policy" tool and set the following UI path to '24 or more passwords':
'Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Enforce password history'
2) After running the policy check, it should return 1 indicating that setting was properly set
Failure scenario
==================
1) Open "Edit Group Policy" tool and set the following UI path to values different than '24 or more passwords':
'Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Enforce password history'
2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value

18
ee/cis/win-10/test/instructions/CIS_1.1.2.txt Normal file
View file

@ -0,0 +1,18 @@
Expected scenario
==================
1) Open "Edit Group Policy" tool and set the following UI path to '365 or fewer days, but not 0':
'Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Maximum password age'
2) After running the policy check, it should return 1 indicating that setting was properly set
Failure scenario
==================
1) Open "Edit Group Policy" tool and set the following UI path to values different than '365 or fewer days, but not 0':
'Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Maximum password age'
2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value

18
ee/cis/win-10/test/instructions/CIS_1.1.3.txt Normal file
View file

@ -0,0 +1,18 @@
Expected scenario
==================
1) Open "Edit Group Policy" tool and set the following UI path to '1 or more days':
'Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Minimum password age'
2) After running the policy check, it should return 1 indicating that setting was properly set
Failure scenario
==================
1) Open "Edit Group Policy" tool and set the following UI path to values different than '1 or more days':
'Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Minimum password age'
2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value

18
ee/cis/win-10/test/instructions/CIS_1.1.4.txt Normal file
View file

@ -0,0 +1,18 @@
Expected scenario
==================
1) Open "Edit Group Policy" tool and set the following UI path to '14 or more characters':
'Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Minimum password length'
2) After running the policy check, it should return 1 indicating that setting was properly set
Failure scenario
==================
1) Open "Edit Group Policy" tool and set the following UI path to values different than '14 or more characters':
'Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Minimum password length'
2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value

18
ee/cis/win-10/test/instructions/CIS_1.1.5.txt Normal file
View file

@ -0,0 +1,18 @@
Expected scenario
==================
1) Open "Edit Group Policy" tool and set the following UI path to 'Enabled':
'Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Password must meet complexity requirements'
2) After running the policy check, it should return 1 indicating that setting was properly set
Failure scenario
==================
1) Open "Edit Group Policy" tool and set the following UI path to value different than 'Enabled':
'Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Password must meet complexity requirements'
2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value

18
ee/cis/win-10/test/instructions/CIS_1.1.6.txt Normal file
View file

@ -0,0 +1,18 @@
Expected scenario
==================
1) Open "Edit Group Policy" tool and set the following UI path to 'Enabled':
'Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Relax minimum password length limits'
2) After running the policy check, it should return 1 indicating that setting was properly set
Failure scenario
==================
1) Open "Edit Group Policy" tool and set the following UI path to value different than 'Enabled':
'Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Relax minimum password length limits'
2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value

18
ee/cis/win-10/test/instructions/CIS_1.1.7.txt Normal file
View file

@ -0,0 +1,18 @@
Expected scenario
==================
1) Open "Edit Group Policy" tool and set the following UI path to 'Disabled':
'Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Store passwords using reversible encryption'
2) After running the policy check, it should return 1 indicating that setting was properly set
Failure scenario
==================
1) Open "Edit Group Policy" tool and set the following UI path to value different than 'Disabled':
'Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Store passwords using reversible encryption'
2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value

18
ee/cis/win-10/test/instructions/CIS_2.3.1.1.txt Normal file
View file

@ -0,0 +1,18 @@
Expected scenario
==================
1) Open "Edit Group Policy" tool and set the following UI path to 'Disabled':
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Administrator account status'
2) After running the policy check, it should return 1 indicating that setting was properly set
Failure scenario
==================
1) Open "Edit Group Policy" tool and set the following UI path to value different than 'Disabled':
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Administrator account status'
2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value

18
ee/cis/win-10/test/instructions/CIS_2.3.1.2.txt Normal file
View file

@ -0,0 +1,18 @@
Expected scenario
==================
1) Open "Edit Group Policy" tool and set the following UI path to 'Users can't add or log on with Microsoft accounts':
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Block Microsoft accounts'
2) After running the policy check, it should return 1 indicating that setting was properly set
Failure scenario
==================
1) Open "Edit Group Policy" tool and set the following UI path to values different than 'Users can't add or log on with Microsoft accounts':
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Block Microsoft accounts'
2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value

18
ee/cis/win-10/test/instructions/CIS_2.3.1.3.txt Normal file
View file

@ -0,0 +1,18 @@
Expected scenario
==================
1) Open "Edit Group Policy" tool and set the following UI path to 'Disabled':
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Guest account status'
2) After running the policy check, it should return 1 indicating that setting was properly set
Failure scenario
==================
1) Open "Edit Group Policy" tool and set the following UI path to values different than 'Disabled':
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Guest account status'
2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value

18
ee/cis/win-10/test/instructions/CIS_2.3.1.4.txt Normal file
View file

@ -0,0 +1,18 @@
Expected scenario
==================
1) Open "Edit Group Policy" tool and set the following UI path to 'Enabled':
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Limit local account use of blank passwords to console logon only'
2) After running the policy check, it should return 1 indicating that setting was properly set
Failure scenario
==================
1) Open "Edit Group Policy" tool and set the following UI path to values different than 'Enabled':
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Limit local account use of blank passwords to console logon only'
2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value

18
ee/cis/win-10/test/instructions/CIS_2.3.1.5.txt Normal file
View file

@ -0,0 +1,18 @@
Expected scenario
==================
1) Open "Edit Group Policy" tool and set the following UI path to a value different than 'Administrator':
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Rename administrator account'
2) After running the policy check, it should return 1 indicating that setting was properly set
Failure scenario
==================
1) Open "Edit Group Policy" tool and set the following UI path to 'Administrator' value:
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Rename administrator account'
2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value

18
ee/cis/win-10/test/instructions/CIS_2.3.1.6.txt Normal file
View file

@ -0,0 +1,18 @@
Expected scenario
==================
1) Open "Edit Group Policy" tool and set the following UI path to a value different than 'Guest':
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Rename guest account'
2) After running the policy check, it should return 1 indicating that setting was properly set
Failure scenario
==================
1) Open "Edit Group Policy" tool and set the following UI path to the 'Guest' value:
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Rename guest account'
2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value

18
ee/cis/win-10/test/instructions/CIS_2.3.2.1.txt Normal file
View file

@ -0,0 +1,18 @@
Expected scenario
==================
1) Open "Edit Group Policy" tool and set the following UI path to 'Enabled':
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings'
2) After running the policy check, it should return 1 indicating that setting was properly set
Failure scenario
==================
1) Open "Edit Group Policy" tool and set the following UI path to values different than 'Enabled':
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings'
2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value

18
ee/cis/win-10/test/instructions/CIS_2.3.2.2.txt Normal file
View file

@ -0,0 +1,18 @@
Expected scenario
==================
1) Open "Edit Group Policy" tool and set the following UI path to 'Disabled':
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Audit: Shut down system immediately if unable to log security audits'
2) After running the policy check, it should return 1 indicating that setting was properly set
Failure scenario
==================
1) Open "Edit Group Policy" tool and set the following UI path to values different than 'Disabled':
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Audit: Shut down system immediately if unable to log security audits'
2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value

18
ee/cis/win-10/test/instructions/CIS_2.3.4.1.txt Normal file
View file

@ -0,0 +1,18 @@
Expected scenario
==================
1) Open "Edit Group Policy" tool and set the following UI path to 'Enabled':
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Devices: Prevent users from installing printer drivers'
2) After running the policy check, it should return 1 indicating that setting was properly set
Failure scenario
==================
1) Open "Edit Group Policy" tool and set the following UI path to values different than 'Enabled':
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Devices: Prevent users from installing printer drivers'
2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value

18
ee/cis/win-10/test/instructions/CIS_2.3.7.1.txt Normal file
View file

@ -0,0 +1,18 @@
Expected scenario
==================
1) Open "Edit Group Policy" tool and set the following UI path to 'Disabled':
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Do not require CTRL+ALT+DEL'
2) After running the policy check, it should return 1 indicating that setting was properly set
Failure scenario
==================
1) Open "Edit Group Policy" tool and set the following UI path to values different than 'Disabled':
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Do not require CTRL+ALT+DEL'
2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value

18
ee/cis/win-10/test/instructions/CIS_2.3.7.2.txt Normal file
View file

@ -0,0 +1,18 @@
Expected scenario
==================
1) Open "Edit Group Policy" tool and set the following UI path to 'Enabled':
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Don't display last signed-in'
2) After running the policy check, it should return 1 indicating that setting was properly set
Failure scenario
==================
1) Open "Edit Group Policy" tool and set the following UI path to values different than 'Enabled':
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Don't display last signed-in'
2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value

18
ee/cis/win-10/test/instructions/CIS_2.3.7.3.txt Normal file
View file

@ -0,0 +1,18 @@
Expected scenario
==================
1) Open "Edit Group Policy" tool and set the following UI path to '10 or fewer invalid logon attempts, but not 0':
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Machine account lockout threshold'
2) After running the policy check, it should return 1 indicating that setting was properly set
Failure scenario
==================
1) Open "Edit Group Policy" tool and set the following UI path to values different than '10 or fewer invalid logon attempts, but not 0':
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Machine account lockout threshold'
2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value

18
ee/cis/win-10/test/instructions/CIS_2.3.7.4.txt Normal file
View file

@ -0,0 +1,18 @@
Expected scenario
==================
1) Open "Edit Group Policy" tool and set the following UI path to '900 or fewer second(s), but not 0':
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Machine inactivity limit'
2) After running the policy check, it should return 1 indicating that setting was properly set
Failure scenario
==================
1) Open "Edit Group Policy" tool and set the following UI path to values different than '900 or fewer second(s), but not 0':
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Machine inactivity limit'
2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value

18
ee/cis/win-10/test/instructions/CIS_2.3.7.5.txt Normal file
View file

@ -0,0 +1,18 @@
Expected scenario
==================
1) Open "Edit Group Policy" tool and set the following UI path to a non-empty value:
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Message text for users attempting to log on'
2) After running the policy check, it should return 1 indicating that setting was properly set
Failure scenario
==================
1) Open "Edit Group Policy" tool and set the following UI path to an empty value:
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Message text for users attempting to log on'
2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value

18
ee/cis/win-10/test/instructions/CIS_2.3.7.6.txt Normal file
View file

@ -0,0 +1,18 @@
Expected scenario
==================
1) Open "Edit Group Policy" tool and set the following UI path to a non-empty value:
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Message title for users attempting to log on'
2) After running the policy check, it should return 1 indicating that setting was properly set
Failure scenario
==================
1) Open "Edit Group Policy" tool and set the following UI path to an empty value:
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Message title for users attempting to log on'
2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value

18
ee/cis/win-10/test/instructions/CIS_2.3.7.7.txt Normal file
View file

@ -0,0 +1,18 @@
Expected scenario
==================
1) Open "Edit Group Policy" tool and set the following UI path to values 'between 5 and 14 days':
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Prompt user to change password before expiration'
2) After running the policy check, it should return 1 indicating that setting was properly set
Failure scenario
==================
1) Open "Edit Group Policy" tool and set the following UI path to values different than 'between 5 and 14 days':
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Prompt user to change password before expiration'
2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value

18
ee/cis/win-10/test/instructions/CIS_2.3.7.8.txt Normal file
View file

@ -0,0 +1,18 @@
Expected scenario
==================
1) Open "Edit Group Policy" tool and set the following UI path to 'Lock Workstation or higher':
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Smart card removal behavior'
2) After running the policy check, it should return 1 indicating that setting was properly set
Failure scenario
==================
1) Open "Edit Group Policy" tool and set the following UI path to values different than 'Lock Workstation or higher':
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Smart card removal behavior'
2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value