From 7fe196304c9a2d1be5640e0a1acfa50954df2fc1 Mon Sep 17 00:00:00 2001 From: RachelElysia <71795832+RachelElysia@users.noreply.github.com> Date: Tue, 14 Mar 2023 16:36:34 -0400 Subject: [PATCH] CIS - WIN10 - 18.9.12 to 18.9.16 (#10465) --- .../cis-NON-COMPLETED-policy-queries.yml | 22 +++ ee/cis/win-10/cis-policy-queries.yml | 127 ++++++++++++++++++ 2 files changed, 149 insertions(+) diff --git a/ee/cis/win-10/cis-NON-COMPLETED-policy-queries.yml b/ee/cis/win-10/cis-NON-COMPLETED-policy-queries.yml index a8a25c0b4a..f8ca88d378 100644 --- a/ee/cis/win-10/cis-NON-COMPLETED-policy-queries.yml +++ b/ee/cis/win-10/cis-NON-COMPLETED-policy-queries.yml @@ -317,3 +317,25 @@ spec: purpose: Informational tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.3.11.6, CIS_not_completed contributors: marcosd4h +--- +apiVersion: v1 +kind: policy +spec: + name: > + CIS - Ensure 'Turn off cloud consumer account state content' is set to 'Enabled' + platforms: win10 + platform: windows + description: | + This policy setting determines whether cloud consumer account state content is allowed in all Windows experiences. + resolution: | + To establish the recommended configuration via GP, set the following UI path to Enabled: + 'Computer Configuration\Policies\Administrative Templates\Windows Components\Cloud Content\Turn off cloud consumer account state content' + query: | + # TBD + # 'Turn off cloud consumer account state content' does not exist in group policy editor even though CloudContent.admx exists and other policies exist + # Untested: Select 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\\Windows\\CloudContent\DisableConsumerAccountStateContent' AND data = 1); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.14.1, CIS_not_completed + contributors: rachelelysia +--- + diff --git a/ee/cis/win-10/cis-policy-queries.yml b/ee/cis/win-10/cis-policy-queries.yml index 6aa98014b8..f96cef036e 100644 --- a/ee/cis/win-10/cis-policy-queries.yml +++ b/ee/cis/win-10/cis-policy-queries.yml @@ -3512,4 +3512,131 @@ spec: purpose: Informational tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.8.3 contributors: marcosd4h +--- +apiVersion: v1 +kind: policy +spec: + name: > + CIS - Ensure 'Allow Use of Camera' is set to 'Disabled' + platforms: win10 + platform: windows + description: | + This policy setting controls whether the use of Camera devices on the machine are +permitted. + resolution: | + To establish the recommended configuration via GP, set the following UI path to Disabled: + 'Computer Configuration\Policies\Administrative Templates\Windows Components\Camera\Allow Use of Camera' + query: | + SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Camera\AllowCamera' AND data = 0); + purpose: Informational + tags: compliance, CIS, CIS_Level2, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.12.1 + contributors: rachelelysia +--- +apiVersion: v1 +kind: policy +spec: + name: > + CIS - Ensure 'Turn off cloud optimized content' is set to 'Enabled' + platforms: win10 + platform: windows + description: | + This policy setting turns off cloud optimized content in all Windows experiences. + resolution: | + To establish the recommended configuration via GP, set the following UI path to Enabled: + 'Computer Configuration\Policies\Administrative Templates\Windows Components\Cloud Content\Turn off cloud optimized content' + query: | + Select 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent\DisableCloudOptimizedContent' AND data = 1); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.14.2 + contributors: rachelelysia +--- +apiVersion: v1 +kind: policy +spec: + name: > + CIS - Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled' + platforms: win10 + platform: windows + description: | + This policy setting turns off experiences that help consumers make the most of their devices and Microsoft account. + resolution: | + To establish the recommended configuration via GP, set the following UI path to Enabled: + 'Computer Configuration\Policies\Administrative Templates\Windows Components\Cloud Content\Turn off Microsoft consumer experiences' + query: | + SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent\DisableWindowsConsumerFeatures' AND data = 1); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.14.3 + contributors: rachelelysia +--- +apiVersion: v1 +kind: policy +spec: + name: > + CIS - Ensure 'Require pin for pairing' is set to 'Enabled: First Time' OR 'Enabled: Always' + platforms: win10 + platform: windows + description: | + This policy setting controls whether or not a PIN is required for pairing to a wireless display device. + resolution: | + To establish the recommended configuration via GP, set the following UI path to 'Enabled: First Time' OR 'Enabled: Always': + 'Computer Configuration\Policies\Administrative Templates\Windows Components\Connect\Require pin for pairing' + query: | + SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\Windows\\Connect\RequirePinForPairing' AND data = 2); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.15.1 + contributors: rachelelysia +--- +apiVersion: v1 +kind: policy +spec: + name: > + CIS - Ensure 'Do not display the password reveal button' is set to 'Enabled' + platforms: win10 + platform: windows + description: | + This policy setting allows you to configure the display of the password reveal button in password entry user experiences. + resolution: | + To establish the recommended configuration via GP, set the following UI path to Enabled: + 'Computer Configuration\Policies\Administrative Templates\Windows Components\Credential User Interface\Do not display the password reveal button' + query: | + SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CredUI\DisablePasswordReveal' AND data = 1); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.16.1 + contributors: rachelelysia +--- +apiVersion: v1 +kind: policy +spec: + name: > + CIS - Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled' + platforms: win10 + platform: windows + description: | + This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. + resolution: | + To establish the recommended configuration via GP, set the following UI path to Disabled: + 'Computer Configuration\Policies\Administrative Templates\Windows Components\Credential User Interface\Enumerate administrator accounts on elevation' + query: | + SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\CredUI\EnumerateAdministrators' AND data = 0); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.16.2 + contributors: rachelelysia +--- +apiVersion: v1 +kind: policy +spec: + name: > + CIS - Ensure 'Prevent the use of security questions for local accounts' is set to 'Enabled' + platforms: win10 + platform: windows + description: | + This policy setting controls whether security questions can be used to reset local account passwords. The security question feature does not apply to domain accounts, only local accounts on the workstation. + resolution: | + To establish the recommended configuration via GP, set the following UI path to Enabled: + 'Computer Configuration\Policies\Administrative Templates\Windows Components\Credential User Interface\Prevent the use of security questions for local accounts' + query: | + SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\NoLocalPasswordResetQuestions' AND data = 1); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.16.3 + contributors: rachelelysia --- \ No newline at end of file