From 7e95c52213931d9832052a5a176011ff70047896 Mon Sep 17 00:00:00 2001 From: Marcos Oviedo Date: Thu, 23 Feb 2023 14:04:23 -0300 Subject: [PATCH] Pushing CIS policy checks for 2.3.1.x to 2.3.7.x (#9902) This relates to #9850 --- ee/cis/win-10/cis-policy-queries.yml | 360 +++++++++++++++++- ee/cis/win-10/test/instructions/CIS_1.1.1.txt | 18 + ee/cis/win-10/test/instructions/CIS_1.1.2.txt | 18 + ee/cis/win-10/test/instructions/CIS_1.1.3.txt | 18 + ee/cis/win-10/test/instructions/CIS_1.1.4.txt | 18 + ee/cis/win-10/test/instructions/CIS_1.1.5.txt | 18 + ee/cis/win-10/test/instructions/CIS_1.1.6.txt | 18 + ee/cis/win-10/test/instructions/CIS_1.1.7.txt | 18 + .../win-10/test/instructions/CIS_2.3.1.1.txt | 18 + .../win-10/test/instructions/CIS_2.3.1.2.txt | 18 + .../win-10/test/instructions/CIS_2.3.1.3.txt | 18 + .../win-10/test/instructions/CIS_2.3.1.4.txt | 18 + .../win-10/test/instructions/CIS_2.3.1.5.txt | 18 + .../win-10/test/instructions/CIS_2.3.1.6.txt | 18 + .../win-10/test/instructions/CIS_2.3.2.1.txt | 18 + .../win-10/test/instructions/CIS_2.3.2.2.txt | 18 + .../win-10/test/instructions/CIS_2.3.4.1.txt | 18 + .../win-10/test/instructions/CIS_2.3.7.1.txt | 18 + .../win-10/test/instructions/CIS_2.3.7.2.txt | 18 + .../win-10/test/instructions/CIS_2.3.7.3.txt | 18 + .../win-10/test/instructions/CIS_2.3.7.4.txt | 18 + .../win-10/test/instructions/CIS_2.3.7.5.txt | 18 + .../win-10/test/instructions/CIS_2.3.7.6.txt | 18 + .../win-10/test/instructions/CIS_2.3.7.7.txt | 18 + .../win-10/test/instructions/CIS_2.3.7.8.txt | 18 + 25 files changed, 773 insertions(+), 19 deletions(-) create mode 100644 ee/cis/win-10/test/instructions/CIS_1.1.1.txt create mode 100644 ee/cis/win-10/test/instructions/CIS_1.1.2.txt create mode 100644 ee/cis/win-10/test/instructions/CIS_1.1.3.txt create mode 100644 ee/cis/win-10/test/instructions/CIS_1.1.4.txt create mode 100644 ee/cis/win-10/test/instructions/CIS_1.1.5.txt create mode 100644 ee/cis/win-10/test/instructions/CIS_1.1.6.txt create mode 100644 ee/cis/win-10/test/instructions/CIS_1.1.7.txt create mode 100644 ee/cis/win-10/test/instructions/CIS_2.3.1.1.txt create mode 100644 ee/cis/win-10/test/instructions/CIS_2.3.1.2.txt create mode 100644 ee/cis/win-10/test/instructions/CIS_2.3.1.3.txt create mode 100644 ee/cis/win-10/test/instructions/CIS_2.3.1.4.txt create mode 100644 ee/cis/win-10/test/instructions/CIS_2.3.1.5.txt create mode 100644 ee/cis/win-10/test/instructions/CIS_2.3.1.6.txt create mode 100644 ee/cis/win-10/test/instructions/CIS_2.3.2.1.txt create mode 100644 ee/cis/win-10/test/instructions/CIS_2.3.2.2.txt create mode 100644 ee/cis/win-10/test/instructions/CIS_2.3.4.1.txt create mode 100644 ee/cis/win-10/test/instructions/CIS_2.3.7.1.txt create mode 100644 ee/cis/win-10/test/instructions/CIS_2.3.7.2.txt create mode 100644 ee/cis/win-10/test/instructions/CIS_2.3.7.3.txt create mode 100644 ee/cis/win-10/test/instructions/CIS_2.3.7.4.txt create mode 100644 ee/cis/win-10/test/instructions/CIS_2.3.7.5.txt create mode 100644 ee/cis/win-10/test/instructions/CIS_2.3.7.6.txt create mode 100644 ee/cis/win-10/test/instructions/CIS_2.3.7.7.txt create mode 100644 ee/cis/win-10/test/instructions/CIS_2.3.7.8.txt diff --git a/ee/cis/win-10/cis-policy-queries.yml b/ee/cis/win-10/cis-policy-queries.yml index 9a8698cb72..454442311e 100644 --- a/ee/cis/win-10/cis-policy-queries.yml +++ b/ee/cis/win-10/cis-policy-queries.yml @@ -1,5 +1,5 @@ --- -# The latest version of CIS Benchmarks for Windows 10 standalone is version 1.0.1 +# The latest version of CIS Benchmarks for Windows 10 Enterprise is version 1.12.0 apiVersion: v1 kind: policy spec: @@ -15,7 +15,7 @@ spec: query: | SELECT 1 FROM security_profile_info WHERE password_history_size >= 24; purpose: Informational - tags: compliance, CIS, CIS_Level1, CIS-win10-stand-alone-1.1.1 + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_1.1.1 contributors: marcosd4h --- apiVersion: v1 @@ -28,13 +28,12 @@ spec: This policy setting defines how long a user can use their password before it expires. resolution: | Automatic method: - Ask your system administrator to establish the recommended configuration via GP, set the - following UI path to 365 or fewer days, but not 0: + Ask your system administrator to establish the recommended configuration via GP, set the following UI path to 365 or fewer days, but not 0: 'Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Maximum password age' query: | SELECT 1 FROM security_profile_info WHERE (maximum_password_age <= 365 AND maximum_password_age != 0); purpose: Informational - tags: compliance, CIS, CIS_Level1, CIS-win10-stand-alone-1.1.2 + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_1.1.2 contributors: marcosd4h --- apiVersion: v1 @@ -48,13 +47,12 @@ spec: change it. The range of values for this policy setting is between 1 and 999 days. resolution: | Automatic method: - Ask your system administrator to establish the recommended configuration via GP, set the - following UI path to 1 or more days: + Ask your system administrator to establish the recommended configuration via GP, set the following UI path to 1 or more days: 'Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Minimum password age' query: | SELECT 1 FROM security_profile_info WHERE minimum_password_age >= 1; purpose: Informational - tags: compliance, CIS, CIS_Level1, CIS-win10-stand-alone-1.1.3 + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_1.1.3 contributors: marcosd4h --- apiVersion: v1 @@ -67,13 +65,12 @@ spec: This policy setting determines the least number of characters that make up a password for a user account. resolution: | Automatic method: - Ask your system administrator to establish the recommended configuration via GP, set the - following UI path to 14 or more characters + Ask your system administrator to establish the recommended configuration via GP, set the following UI path to 14 or more characters 'Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Minimum password length' query: | SELECT 1 FROM security_profile_info WHERE minimum_password_length >= 14; purpose: Informational - tags: compliance, CIS, CIS_Level1, CIS-win10-stand-alone-1.1.4 + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_1.1.4 contributors: marcosd4h --- apiVersion: v1 @@ -88,13 +85,12 @@ spec: discover with several publicly available tools. resolution: | Automatic method: - Ask your system administrator to establish the recommended configuration via GP, set the - following UI path to 'Enabled': + Ask your system administrator to establish the recommended configuration via GP, set the following UI path to 'Enabled': 'Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Password must meet complexity requirements' query: | SELECT 1 FROM security_profile_info WHERE password_complexity = 1; purpose: Informational - tags: compliance, CIS, CIS_Level1, CIS-win10-stand-alone-1.1.5 + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_1.1.5 contributors: marcosd4h --- apiVersion: v1 @@ -107,13 +103,12 @@ spec: This policy setting determines whether the minimum password length setting can be increased beyond the legacy limit of 14 characters. resolution: | Automatic method: - Ask your system administrator to establish the recommended configuration via GP, set the - following UI path to 'Enabled': + Ask your system administrator to establish the recommended configuration via GP, set the following UI path to 'Enabled': 'Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Relax minimum password length limits' query: | SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SAM\\RelaxMinimumPasswordLengthLimits' AND data != 0); purpose: Informational - tags: compliance, CIS, CIS_Level1, CIS-win10-stand-alone-1.1.6 + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_1.1.6 contributors: marcosd4h --- apiVersion: v1 @@ -134,5 +129,332 @@ spec: query: | SELECT 1 FROM security_profile_info WHERE clear_text_password = 0; purpose: Informational - tags: compliance, CIS, CIS_Level1, CIS-win10-stand-alone-1.1.7 - contributors: marcosd4h \ No newline at end of file + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_1.1.7 + contributors: marcosd4h +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure 'Accounts Administrator account status' is set to 'Disabled' + platforms: win10 + platform: windows + description: | + This policy setting enables or disables the Administrator account during normal operation. + resolution: | + Automatic method: + Ask your system administrator to establish the recommended configuration via GP, set the following UI path to 'Disabled': + 'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Administrator account status' + query: | + SELECT 1 FROM mdm_bridge where mdm_command_input = "1./Device/Vendor/MSFT/Policy/Result/LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus" AND mdm_command_output == 0; + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.3.1.1 + contributors: marcosd4h +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure 'Accounts Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts' + platforms: win10 + platform: windows + description: | + This policy setting prevents users from adding new Microsoft accounts on this computer. + resolution: | + Automatic method: + Ask your system administrator to establish the recommended configuration via GP, set the following UI path to 'Users can't add or log on with Microsoft account': + 'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Block Microsoft accounts' + query: | + SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\NoConnectedUser' AND data == 3); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.3.1.2 + contributors: marcosd4h +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure 'Accounts Guest account status' is set to 'Disabled' + platforms: win10 + platform: windows + description: | + This policy setting determines whether the Guest account is enabled or disabled. The Guest account allows unauthenticated network users to gain access to the system. + resolution: | + Automatic method: + Ask your system administrator to establish the recommended configuration via GP, set the following UI path to 'Disabled': + 'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Guest account status' + query: | + SELECT 1 FROM mdm_bridge where mdm_command_input = "1./Device/Vendor/MSFT/Policy/Result/LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus" and mdm_command_output == 0; + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.3.1.3 + contributors: marcosd4h +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure 'Accounts Limit local account use of blank passwords to console logon only' is set to 'Enabled' + platforms: win10 + platform: windows + description: | + This policy setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. + resolution: | + Automatic method: + Ask your system administrator to establish the recommended configuration via GP, set the following UI path to 'Enabled': + 'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Limit local account use of blank passwords to console logon only' + query: | + SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\LimitBlankPasswordUse' AND data == 1); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.3.1.4 + contributors: marcosd4h +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Configure 'Accounts Rename administrator account' + platforms: win10 + platform: windows + description: | + The built-in local administrator account is a well-known account name that attackers will + target. It is recommended to choose another name for this account, and to avoid names that + denote administrative or elevated access accounts. + resolution: | + Automatic method: + Ask your system administrator to establish the recommended configuration via GP, set the following UI path to value different than 'Administrator': + 'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Rename administrator account' + query: | + SELECT 1 FROM mdm_bridge where mdm_command_input = "1./Device/Vendor/MSFT/Policy/Result/LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount" and mdm_command_output != "Administrator"; + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.3.1.5 + contributors: marcosd4h +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Configure 'Accounts Rename guest account' + platforms: win10 + platform: windows + description: | + The built-in local guest account is another well-known name to attackers. It is recommended to + rename this account to something that does not indicate its purpose. Even if you disable this + account, which is recommended, ensure that you rename it for added security. + resolution: | + Automatic method: + Ask your system administrator to establish the recommended configuration via GP, set the following UI path to value different than 'Guest': + 'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Rename guest account' + query: | + SELECT 1 FROM mdm_bridge where mdm_command_input = "1./Device/Vendor/MSFT/Policy/Result/LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount" and mdm_command_output != "Guest"; + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.3.1.6 + contributors: marcosd4h +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure 'Audit Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled' + platforms: win10 + platform: windows + description: | + This policy setting allows administrators to enable the more precise auditing capabilities. + resolution: | + Automatic method: + Ask your system administrator to establish the recommended configuration via GP, set the following UI path to 'Enabled': + 'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' + query: | + SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\SCENoApplyLegacyAuditPolicy' AND data == 1); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.3.2.1 + contributors: marcosd4h +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure 'Audit Shut down system immediately if unable to log security audits' is set to 'Disabled' + platforms: win10 + platform: windows + description: | + This policy setting determines whether the system shuts down if it is unable to log Security + events. It is a requirement for Trusted Computer System Evaluation Criteria (TCSEC)-C2 and + Common Criteria certification to prevent auditable events from occurring if the audit system is + unable to log them. + resolution: | + Automatic method: + Ask your system administrator to establish the recommended configuration via GP, set the following UI path to 'Disabled': + 'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Audit: Shut down system immediately if unable to log security audits' + query: | + SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\crashonauditfail' AND data == 0); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.3.2.2 + contributors: marcosd4h +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure 'Devices Prevent users from installing printer drivers' is set to 'Enabled' + platforms: win10 + platform: windows + description: | + For a computer to print to a shared printer, the driver for that shared printer must be + installed on the local computer. This security setting determines who is allowed to install a + printer driver as part of connecting to a shared printer. + resolution: | + Automatic method: + Ask your system administrator to establish the recommended configuration via GP, set the following UI path to 'Enabled': + 'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Devices: Prevent users from installing printer drivers' + query: | + SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Print\\Providers\\LanManPrint Services\\Servers\\AddPrinterDrivers' AND data == 1); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.3.4.1 + contributors: marcosd4h +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure 'Interactive logon Do not require CTRL+ALT+DEL' is set to 'Disabled' + platforms: win10 + platform: windows + description: | + This policy setting determines whether users must press CTRL+ALT+DEL before they log on. + resolution: | + Automatic method: + Ask your system administrator to establish the recommended configuration via GP, set the following UI path to 'Disabled': + 'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Do not require CTRL+ALT+DEL' + query: | + SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableCAD' AND data == 0); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.3.7.1 + contributors: marcosd4h +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure 'Interactive logon Don't display last signed-in' is set to 'Enabled' + platforms: win10 + platform: windows + description: | + This policy setting determines whether the account name of the last user to log on to the client + computers in your organization will be displayed in each computer's respective Windows logon + screen. + resolution: | + Automatic method: + Ask your system administrator to establish the recommended configuration via GP, set the following UI path to 'Enabled': + 'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Don't display last signed-in' + query: | + SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\dontdisplaylastusername' AND data == 1); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.3.7.2 + contributors: marcosd4h +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure 'Interactive logon Machine account lockout threshold' is set to '10 or fewer invalid logon attempts, but not 0' + platforms: win10 + platform: windows + description: | + This security setting determines the number of failed logon attempts that causes the machine to be locked out. + resolution: | + Automatic method: + Ask your system administrator to establish the recommended configuration via GP, set the following UI path to '10 or fewer invalid logon attempts, but not 0': + 'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Machine account lockout threshold' + query: | + SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\MaxDevicePasswordFailedAttempts' AND data <= 10 AND data != 0); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.3.7.3 + contributors: marcosd4h +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure 'Interactive logon Machine inactivity limit' is set to '900 or fewer second(s), but not 0' + platforms: win10 + platform: windows + description: | + Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session. + resolution: | + Automatic method: + Ask your system administrator to establish the recommended configuration via GP, set the following UI path to '900 or fewer seconds, but not 0': + 'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Machine inactivity limit' + query: | + SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\InactivityTimeoutSecs' AND data <= 900 AND data != 0); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.3.7.4 + contributors: marcosd4h +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Configure 'Interactive logon Message text for users attempting to log on' + platforms: win10 + platform: windows + description: | + This policy setting specifies a text message that displays to users when they log on. Set the + following group policy to a value that is consistent with the security and operational + requirements of your organization. + resolution: | + Automatic method: + Ask your system administrator to establish the recommended configuration via GP, set the following UI path to a value that is consistent with the security and operational requirements + of your organization: + 'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Message text for users attempting to log on' + query: | + SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\legalnoticetext' AND data != ""); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.3.7.5 + contributors: marcosd4h +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Configure 'Interactive logon Message title for users attempting to log on' + platforms: win10 + platform: windows + description: | + This policy setting specifies the text displayed in the title bar of the window that users see + when they log on to the system. Configure this setting in a manner that is consistent with the + security and operational requirements of your organization. + resolution: | + Automatic method: + Ask your system administrator to establish the recommended configuration via GP, set the following UI path to a value that is consistent with the security and operational requirements + of your organization: + 'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Message title for users attempting to log on' + query: | + SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\legalnoticecaption' AND data != ""); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.3.7.6 + contributors: marcosd4h +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure 'Interactive logon Prompt user to change password before expiration' is set to 'between 5 and 14 days' + platforms: win10 + platform: windows + description: | + This policy setting specifies the text displayed in the title bar of the window that users see + when they log on to the system. Configure this setting in a manner that is consistent with the + security and operational requirements of your organization. + resolution: | + Automatic method: + Ask your system administrator to establish the recommended configuration via GP, set the following UI path to a value 'between 5 and 14 days': + 'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Prompt user to change password before expiration' + query: | + SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\PasswordExpiryWarning' AND CAST(data AS INTEGER) >= 5 AND CAST(data AS INTEGER) <= 14); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.3.7.7 + contributors: marcosd4h +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure 'Interactive logon Smart card removal behavior' is set to 'Lock Workstation' or higher + platforms: win10 + platform: windows + description: | + This policy setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. + resolution: | + Automatic method: + Ask your system administrator to establish the recommended configuration via GP, set the + following UI path to 'Lock Workstation (or, if applicable for your environment, Force Logoff or Disconnect if a Remote Desktop Services session)': + 'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Smart card removal behavior' + query: | + SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\scremoveoption' AND CAST(data AS INTEGER) >= 1 AND CAST(data AS INTEGER) <= 3); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.3.7.8 + contributors: marcosd4h +--- \ No newline at end of file diff --git a/ee/cis/win-10/test/instructions/CIS_1.1.1.txt b/ee/cis/win-10/test/instructions/CIS_1.1.1.txt new file mode 100644 index 0000000000..41c65a52e1 --- /dev/null +++ b/ee/cis/win-10/test/instructions/CIS_1.1.1.txt @@ -0,0 +1,18 @@ +Expected scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to '24 or more passwords': +'Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Enforce password history' + +2) After running the policy check, it should return 1 indicating that setting was properly set + + + +Failure scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to values different than '24 or more passwords': +'Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Enforce password history' + +2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value + + + diff --git a/ee/cis/win-10/test/instructions/CIS_1.1.2.txt b/ee/cis/win-10/test/instructions/CIS_1.1.2.txt new file mode 100644 index 0000000000..2c79c000fd --- /dev/null +++ b/ee/cis/win-10/test/instructions/CIS_1.1.2.txt @@ -0,0 +1,18 @@ +Expected scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to '365 or fewer days, but not 0': +'Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Maximum password age' + +2) After running the policy check, it should return 1 indicating that setting was properly set + + + +Failure scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to values different than '365 or fewer days, but not 0': +'Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Maximum password age' + +2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value + + + diff --git a/ee/cis/win-10/test/instructions/CIS_1.1.3.txt b/ee/cis/win-10/test/instructions/CIS_1.1.3.txt new file mode 100644 index 0000000000..75a1a67d4c --- /dev/null +++ b/ee/cis/win-10/test/instructions/CIS_1.1.3.txt @@ -0,0 +1,18 @@ +Expected scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to '1 or more days': +'Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Minimum password age' + +2) After running the policy check, it should return 1 indicating that setting was properly set + + + +Failure scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to values different than '1 or more days': +'Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Minimum password age' + +2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value + + + diff --git a/ee/cis/win-10/test/instructions/CIS_1.1.4.txt b/ee/cis/win-10/test/instructions/CIS_1.1.4.txt new file mode 100644 index 0000000000..19d49f09cb --- /dev/null +++ b/ee/cis/win-10/test/instructions/CIS_1.1.4.txt @@ -0,0 +1,18 @@ +Expected scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to '14 or more characters': +'Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Minimum password length' + +2) After running the policy check, it should return 1 indicating that setting was properly set + + + +Failure scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to values different than '14 or more characters': +'Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Minimum password length' + +2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value + + + diff --git a/ee/cis/win-10/test/instructions/CIS_1.1.5.txt b/ee/cis/win-10/test/instructions/CIS_1.1.5.txt new file mode 100644 index 0000000000..ab0d6072a0 --- /dev/null +++ b/ee/cis/win-10/test/instructions/CIS_1.1.5.txt @@ -0,0 +1,18 @@ +Expected scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to 'Enabled': +'Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Password must meet complexity requirements' + +2) After running the policy check, it should return 1 indicating that setting was properly set + + + +Failure scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to value different than 'Enabled': +'Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Password must meet complexity requirements' + +2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value + + + diff --git a/ee/cis/win-10/test/instructions/CIS_1.1.6.txt b/ee/cis/win-10/test/instructions/CIS_1.1.6.txt new file mode 100644 index 0000000000..52ff992272 --- /dev/null +++ b/ee/cis/win-10/test/instructions/CIS_1.1.6.txt @@ -0,0 +1,18 @@ +Expected scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to 'Enabled': +'Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Relax minimum password length limits' + +2) After running the policy check, it should return 1 indicating that setting was properly set + + + +Failure scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to value different than 'Enabled': +'Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Relax minimum password length limits' + +2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value + + + diff --git a/ee/cis/win-10/test/instructions/CIS_1.1.7.txt b/ee/cis/win-10/test/instructions/CIS_1.1.7.txt new file mode 100644 index 0000000000..3afc3c45d8 --- /dev/null +++ b/ee/cis/win-10/test/instructions/CIS_1.1.7.txt @@ -0,0 +1,18 @@ +Expected scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to 'Disabled': +'Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Store passwords using reversible encryption' + +2) After running the policy check, it should return 1 indicating that setting was properly set + + + +Failure scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to value different than 'Disabled': +'Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Store passwords using reversible encryption' + +2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value + + + diff --git a/ee/cis/win-10/test/instructions/CIS_2.3.1.1.txt b/ee/cis/win-10/test/instructions/CIS_2.3.1.1.txt new file mode 100644 index 0000000000..ffaac3a7b3 --- /dev/null +++ b/ee/cis/win-10/test/instructions/CIS_2.3.1.1.txt @@ -0,0 +1,18 @@ +Expected scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to 'Disabled': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Administrator account status' + +2) After running the policy check, it should return 1 indicating that setting was properly set + + + +Failure scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to value different than 'Disabled': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Administrator account status' + +2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value + + + diff --git a/ee/cis/win-10/test/instructions/CIS_2.3.1.2.txt b/ee/cis/win-10/test/instructions/CIS_2.3.1.2.txt new file mode 100644 index 0000000000..df2fd64b73 --- /dev/null +++ b/ee/cis/win-10/test/instructions/CIS_2.3.1.2.txt @@ -0,0 +1,18 @@ +Expected scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to 'Users can't add or log on with Microsoft accounts': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Block Microsoft accounts' + +2) After running the policy check, it should return 1 indicating that setting was properly set + + + +Failure scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to values different than 'Users can't add or log on with Microsoft accounts': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Block Microsoft accounts' + +2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value + + + diff --git a/ee/cis/win-10/test/instructions/CIS_2.3.1.3.txt b/ee/cis/win-10/test/instructions/CIS_2.3.1.3.txt new file mode 100644 index 0000000000..f3f54a1724 --- /dev/null +++ b/ee/cis/win-10/test/instructions/CIS_2.3.1.3.txt @@ -0,0 +1,18 @@ +Expected scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to 'Disabled': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Guest account status' + +2) After running the policy check, it should return 1 indicating that setting was properly set + + + +Failure scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to values different than 'Disabled': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Guest account status' + +2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value + + + diff --git a/ee/cis/win-10/test/instructions/CIS_2.3.1.4.txt b/ee/cis/win-10/test/instructions/CIS_2.3.1.4.txt new file mode 100644 index 0000000000..45b84cebe2 --- /dev/null +++ b/ee/cis/win-10/test/instructions/CIS_2.3.1.4.txt @@ -0,0 +1,18 @@ +Expected scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to 'Enabled': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Limit local account use of blank passwords to console logon only' + +2) After running the policy check, it should return 1 indicating that setting was properly set + + + +Failure scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to values different than 'Enabled': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Limit local account use of blank passwords to console logon only' + +2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value + + + diff --git a/ee/cis/win-10/test/instructions/CIS_2.3.1.5.txt b/ee/cis/win-10/test/instructions/CIS_2.3.1.5.txt new file mode 100644 index 0000000000..b49a1be703 --- /dev/null +++ b/ee/cis/win-10/test/instructions/CIS_2.3.1.5.txt @@ -0,0 +1,18 @@ +Expected scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to a value different than 'Administrator': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Rename administrator account' + +2) After running the policy check, it should return 1 indicating that setting was properly set + + + +Failure scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to 'Administrator' value: +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Rename administrator account' + +2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value + + + diff --git a/ee/cis/win-10/test/instructions/CIS_2.3.1.6.txt b/ee/cis/win-10/test/instructions/CIS_2.3.1.6.txt new file mode 100644 index 0000000000..c19cd6cf9a --- /dev/null +++ b/ee/cis/win-10/test/instructions/CIS_2.3.1.6.txt @@ -0,0 +1,18 @@ +Expected scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to a value different than 'Guest': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Rename guest account' + +2) After running the policy check, it should return 1 indicating that setting was properly set + + + +Failure scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to the 'Guest' value: +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Rename guest account' + +2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value + + + diff --git a/ee/cis/win-10/test/instructions/CIS_2.3.2.1.txt b/ee/cis/win-10/test/instructions/CIS_2.3.2.1.txt new file mode 100644 index 0000000000..5569b80c6f --- /dev/null +++ b/ee/cis/win-10/test/instructions/CIS_2.3.2.1.txt @@ -0,0 +1,18 @@ +Expected scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to 'Enabled': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' + +2) After running the policy check, it should return 1 indicating that setting was properly set + + + +Failure scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to values different than 'Enabled': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' + +2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value + + + diff --git a/ee/cis/win-10/test/instructions/CIS_2.3.2.2.txt b/ee/cis/win-10/test/instructions/CIS_2.3.2.2.txt new file mode 100644 index 0000000000..2b207bc777 --- /dev/null +++ b/ee/cis/win-10/test/instructions/CIS_2.3.2.2.txt @@ -0,0 +1,18 @@ +Expected scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to 'Disabled': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Audit: Shut down system immediately if unable to log security audits' + +2) After running the policy check, it should return 1 indicating that setting was properly set + + + +Failure scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to values different than 'Disabled': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Audit: Shut down system immediately if unable to log security audits' + +2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value + + + diff --git a/ee/cis/win-10/test/instructions/CIS_2.3.4.1.txt b/ee/cis/win-10/test/instructions/CIS_2.3.4.1.txt new file mode 100644 index 0000000000..36f7b5fcab --- /dev/null +++ b/ee/cis/win-10/test/instructions/CIS_2.3.4.1.txt @@ -0,0 +1,18 @@ +Expected scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to 'Enabled': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Devices: Prevent users from installing printer drivers' + +2) After running the policy check, it should return 1 indicating that setting was properly set + + + +Failure scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to values different than 'Enabled': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Devices: Prevent users from installing printer drivers' + +2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value + + + diff --git a/ee/cis/win-10/test/instructions/CIS_2.3.7.1.txt b/ee/cis/win-10/test/instructions/CIS_2.3.7.1.txt new file mode 100644 index 0000000000..509581fafd --- /dev/null +++ b/ee/cis/win-10/test/instructions/CIS_2.3.7.1.txt @@ -0,0 +1,18 @@ +Expected scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to 'Disabled': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Do not require CTRL+ALT+DEL' + +2) After running the policy check, it should return 1 indicating that setting was properly set + + + +Failure scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to values different than 'Disabled': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Do not require CTRL+ALT+DEL' + +2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value + + + diff --git a/ee/cis/win-10/test/instructions/CIS_2.3.7.2.txt b/ee/cis/win-10/test/instructions/CIS_2.3.7.2.txt new file mode 100644 index 0000000000..db03bcfdbe --- /dev/null +++ b/ee/cis/win-10/test/instructions/CIS_2.3.7.2.txt @@ -0,0 +1,18 @@ +Expected scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to 'Enabled': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Don't display last signed-in' + +2) After running the policy check, it should return 1 indicating that setting was properly set + + + +Failure scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to values different than 'Enabled': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Don't display last signed-in' + +2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value + + + diff --git a/ee/cis/win-10/test/instructions/CIS_2.3.7.3.txt b/ee/cis/win-10/test/instructions/CIS_2.3.7.3.txt new file mode 100644 index 0000000000..dfbda83114 --- /dev/null +++ b/ee/cis/win-10/test/instructions/CIS_2.3.7.3.txt @@ -0,0 +1,18 @@ +Expected scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to '10 or fewer invalid logon attempts, but not 0': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Machine account lockout threshold' + +2) After running the policy check, it should return 1 indicating that setting was properly set + + + +Failure scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to values different than '10 or fewer invalid logon attempts, but not 0': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Machine account lockout threshold' + +2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value + + + diff --git a/ee/cis/win-10/test/instructions/CIS_2.3.7.4.txt b/ee/cis/win-10/test/instructions/CIS_2.3.7.4.txt new file mode 100644 index 0000000000..e8ab080cf4 --- /dev/null +++ b/ee/cis/win-10/test/instructions/CIS_2.3.7.4.txt @@ -0,0 +1,18 @@ +Expected scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to '900 or fewer second(s), but not 0': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Machine inactivity limit' + +2) After running the policy check, it should return 1 indicating that setting was properly set + + + +Failure scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to values different than '900 or fewer second(s), but not 0': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Machine inactivity limit' + +2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value + + + diff --git a/ee/cis/win-10/test/instructions/CIS_2.3.7.5.txt b/ee/cis/win-10/test/instructions/CIS_2.3.7.5.txt new file mode 100644 index 0000000000..241547f493 --- /dev/null +++ b/ee/cis/win-10/test/instructions/CIS_2.3.7.5.txt @@ -0,0 +1,18 @@ +Expected scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to a non-empty value: +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Message text for users attempting to log on' + +2) After running the policy check, it should return 1 indicating that setting was properly set + + + +Failure scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to an empty value: +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Message text for users attempting to log on' + +2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value + + + diff --git a/ee/cis/win-10/test/instructions/CIS_2.3.7.6.txt b/ee/cis/win-10/test/instructions/CIS_2.3.7.6.txt new file mode 100644 index 0000000000..50990af705 --- /dev/null +++ b/ee/cis/win-10/test/instructions/CIS_2.3.7.6.txt @@ -0,0 +1,18 @@ +Expected scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to a non-empty value: +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Message title for users attempting to log on' + +2) After running the policy check, it should return 1 indicating that setting was properly set + + + +Failure scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to an empty value: +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Message title for users attempting to log on' + +2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value + + + diff --git a/ee/cis/win-10/test/instructions/CIS_2.3.7.7.txt b/ee/cis/win-10/test/instructions/CIS_2.3.7.7.txt new file mode 100644 index 0000000000..f290e4289c --- /dev/null +++ b/ee/cis/win-10/test/instructions/CIS_2.3.7.7.txt @@ -0,0 +1,18 @@ +Expected scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to values 'between 5 and 14 days': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Prompt user to change password before expiration' + +2) After running the policy check, it should return 1 indicating that setting was properly set + + + +Failure scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to values different than 'between 5 and 14 days': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Prompt user to change password before expiration' + +2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value + + + diff --git a/ee/cis/win-10/test/instructions/CIS_2.3.7.8.txt b/ee/cis/win-10/test/instructions/CIS_2.3.7.8.txt new file mode 100644 index 0000000000..0a7605324d --- /dev/null +++ b/ee/cis/win-10/test/instructions/CIS_2.3.7.8.txt @@ -0,0 +1,18 @@ +Expected scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to 'Lock Workstation or higher': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Smart card removal behavior' + +2) After running the policy check, it should return 1 indicating that setting was properly set + + + +Failure scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to values different than 'Lock Workstation or higher': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Smart card removal behavior' + +2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value + + +