Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-23 08:58:41 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 111

CIS policies for 2.3.11.x (#10167)

Browse source 
This relates to #9851
This commit is contained in:
Marcos Oviedo 2023-03-03 16:42:22 -03:00 committed by GitHub
parent 0867679eeb
commit 83fb9d312c
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
9 changed files with 298 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

154
ee/cis/win-10/cis-policy-queries.yml
View file

@ -1254,6 +1254,160 @@ spec:
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure 'Network security Allow Local System to use computer identity for NTLM' is set to 'Enabled'
platforms: win10
platform: windows
description: |
This policy setting determines whether Local System services that use Negotiate when reverting to NTLM authentication can use the computer identity.
resolution: |
Automatic method:
Ask your system administrator to establish the recommended configuration via GP, set the following UI path to 'Enabled':
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Allow Local System to use computer identity for NTLM'
query: |
SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\UseMachineId' AND data != 0);
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.3.11.1
contributors: marcosd4h
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure 'Network security Allow LocalSystem NULL session fallback' is set to 'Disabled'
platforms: win10
platform: windows
description: |
This policy setting determines whether NTLM is allowed to fall back to a NULL session when used with LocalSystem.
resolution: |
Automatic method:
Ask your system administrator to establish the recommended configuration via GP, set the following UI path to 'Disabled':
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Allow LocalSystem NULL session fallback'
query: |
SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\MSV1_0\\allownullsessionfallback' AND data == 0);
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.3.11.2
contributors: marcosd4h
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure 'Network Security Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'
platforms: win10
platform: windows
description: |
This setting determines if online identities are able to authenticate to this computer.
resolution: |
Automatic method:
Ask your system administrator to establish the recommended configuration via GP, set the following UI path to 'Disabled':
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network Security: Allow PKU2U authentication requests to this computer to use online identities'
query: |
SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\pku2u\\AllowOnlineID' AND data == 0);
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.3.11.3
contributors: marcosd4h
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure 'Network security Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'
platforms: win10
platform: windows
description: |
This setting determines if online identities are able to authenticate to this computer.
resolution: |
Automatic method:
Ask your system administrator to establish the recommended configuration via GP, set the following UI path to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types':
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Configure encryption types allowed for Kerberos'
query: |
SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\Parameters\\SupportedEncryptionTypes' AND ((CAST(data AS INTEGER) & 0x8) AND (CAST(data AS INTEGER) & 0x10) AND (CAST(data AS INTEGER) & 0xe0) AND ((CAST(data AS INTEGER) & 0x1) = 0) AND ((CAST(data AS INTEGER) & 0x2) = 0) AND ((CAST(data AS INTEGER) & 0x4) = 0)));
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.3.11.4
contributors: marcosd4h
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure 'Network security Do not store LAN Manager hash value on next password change' is set to 'Enabled'
platforms: win10
platform: windows
description: |
This policy setting determines whether the LAN Manager (LM) hash value for the new password is
stored when the password is changed. The LM hash is relatively weak and prone to attack compared
to the cryptographically stronger Microsoft Windows NT hash. Since LM hashes are stored on the
local computer in the security database, passwords can then be easily compromised if the
database is attacked.
resolution: |
Automatic method:
Ask your system administrator to establish the recommended configuration via GP, set the following UI path to 'Enabled':
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Do not store LAN Manager hash value on next password change'
query: |
SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\NoLmHash' AND data != 0);
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.3.11.5
contributors: marcosd4h
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure 'Network security Force logoff when logon hours expire' is set to 'Enabled'
platforms: win10
platform: windows
description: |
This policy setting determines whether to disconnect users who are connected to the local
computer outside their user account's valid logon hours. This setting affects the Server Message
Block (SMB) component.
resolution: |
Automatic method:
Ask your system administrator to establish the recommended configuration via GP, set the following UI path to 'Enabled':
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Force logoff when logon hours expire'
query: |
TBD
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.3.11.6, CIS_not_completed
contributors: marcosd4h
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure 'Network security LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'
platforms: win10
platform: windows
description: |
LAN Manager (LM) was a family of early Microsoft client/server software (predating Windows NT)
that allowed users to link personal computers together on a single network. LM network
capabilities included transparent file and print sharing, user security features, and network
administration tools. In Active Directory domains, the Kerberos protocol is the default
authentication protocol.
resolution: |
Automatic method:
Ask your system administrator to establish the recommended configuration via GP, set the following UI path to 'Send NTLMv2 response only. Refuse LM & NTLM':
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: LAN Manager authentication level'
query: |
SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\LmCompatibilityLevel' AND data == 5);
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.3.11.7
contributors: marcosd4h
---
apiVersion: v1
kind: policy
spec:
name: CIS - Ensure 'Network security LDAP client signing requirements' is set to 'Negotiate signing or higher'
platforms: win10
platform: windows
description: |
This policy setting determines the level of data signing that is requested on behalf of clients that issue LDAP BIND requests.
resolution: |
Automatic method:
Ask your system administrator to establish the recommended configuration via GP, set the following UI path to 'Negotiate signing or higher':
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: LDAP client signing requirements'
query: |
SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\ldap\\ldapclientintegrity' AND data >= 1);
purpose: Informational
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.3.11.8
contributors: marcosd4h
---
apiVersion: v1
kind: policy
spec:
name: >
CIS - Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'

18
ee/cis/win-10/test/instructions/CIS_2.3.11.1.txt Normal file
View file

@ -0,0 +1,18 @@
Expected scenario
==================
1) Open "Edit Group Policy" tool and set the following UI path to 'Enabled':
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Allow Local System to use computer identity for NTLM'
2) After running the policy check, it should return 1 indicating that setting was properly set
Failure scenario
==================
1) Open "Edit Group Policy" tool and set the following UI path to values different than 'Enabled':
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Allow Local System to use computer identity for NTLM'
2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value

18
ee/cis/win-10/test/instructions/CIS_2.3.11.2.txt Normal file
View file

@ -0,0 +1,18 @@
Expected scenario
==================
1) Open "Edit Group Policy" tool and set the following UI path to 'Disabled':
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Allow LocalSystem NULL session fallback'
2) After running the policy check, it should return 1 indicating that setting was properly set
Failure scenario
==================
1) Open "Edit Group Policy" tool and set the following UI path to values different than 'Disabled':
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Allow LocalSystem NULL session fallback'
2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value

18
ee/cis/win-10/test/instructions/CIS_2.3.11.3.txt Normal file
View file

@ -0,0 +1,18 @@
Expected scenario
==================
1) Open "Edit Group Policy" tool and set the following UI path to 'Disabled':
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network Security: Allow PKU2U authentication requests to this computer to use online identities'
2) After running the policy check, it should return 1 indicating that setting was properly set
Failure scenario
==================
1) Open "Edit Group Policy" tool and set the following UI path to values different than 'Disabled':
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network Security: Allow PKU2U authentication requests to this computer to use online identities'
2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value

18
ee/cis/win-10/test/instructions/CIS_2.3.11.4.txt Normal file
View file

@ -0,0 +1,18 @@
Expected scenario
==================
1) Open "Edit Group Policy" tool and set the following UI path to 'AES128_HMAC_SHA1 AND AES256_HMAC_SHA1 AND Future encryption types':
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Configure encryption types allowed for Kerberos'
2) After running the policy check, it should return 1 indicating that setting was properly set
Failure scenario
==================
1) Open "Edit Group Policy" tool and set the following UI path to values different than 'AES128_HMAC_SHA1 AND AES256_HMAC_SHA1 AND Future encryption types':
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Configure encryption types allowed for Kerberos'
2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value

18
ee/cis/win-10/test/instructions/CIS_2.3.11.5.txt Normal file
View file

@ -0,0 +1,18 @@
Expected scenario
==================
1) Open "Edit Group Policy" tool and set the following UI path to 'Enabled':
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Do not store LAN Manager hash value on next password change'
2) After running the policy check, it should return 1 indicating that setting was properly set
Failure scenario
==================
1) Open "Edit Group Policy" tool and set the following UI path to values different than 'Enabled':
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Do not store LAN Manager hash value on next password change'
2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value

18
ee/cis/win-10/test/instructions/CIS_2.3.11.6.txt Normal file
View file

@ -0,0 +1,18 @@
Expected scenario
==================
1) Open "Edit Group Policy" tool and set the following UI path to 'Enabled':
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Force logoff when logon hours expire'
2) After running the policy check, it should return 1 indicating that setting was properly set
Failure scenario
==================
1) Open "Edit Group Policy" tool and set the following UI path to values different than 'Enabled':
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Force logoff when logon hours expire'
2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value

18
ee/cis/win-10/test/instructions/CIS_2.3.11.7.txt Normal file
View file

@ -0,0 +1,18 @@
Expected scenario
==================
1) Open "Edit Group Policy" tool and set the following UI path to 'AES128_HMAC_SHA1 AND AES256_HMAC_SHA1 AND Future encryption types':
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Configure encryption types allowed for Kerberos'
2) After running the policy check, it should return 1 indicating that setting was properly set
Failure scenario
==================
1) Open "Edit Group Policy" tool and set the following UI path to values different than 'AES128_HMAC_SHA1 AND AES256_HMAC_SHA1 AND Future encryption types':
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Configure encryption types allowed for Kerberos'
2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value

18
ee/cis/win-10/test/instructions/CIS_2.3.11.8.txt Normal file
View file

@ -0,0 +1,18 @@
Expected scenario
==================
1) Open "Edit Group Policy" tool and set the following UI path to 'Negotiate signing or higher':
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: LDAP client signing requirements'
2) After running the policy check, it should return 1 indicating that setting was properly set
Failure scenario
==================
1) Open "Edit Group Policy" tool and set the following UI path to values different than 'Negotiate signing or higher':
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: LDAP client signing requirements'
2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value