diff --git a/ee/cis/win-10/cis-policy-queries.yml b/ee/cis/win-10/cis-policy-queries.yml index d2c0913344..bbe53b19c2 100644 --- a/ee/cis/win-10/cis-policy-queries.yml +++ b/ee/cis/win-10/cis-policy-queries.yml @@ -1254,6 +1254,160 @@ spec: --- apiVersion: v1 kind: policy +spec: + name: CIS - Ensure 'Network security Allow Local System to use computer identity for NTLM' is set to 'Enabled' + platforms: win10 + platform: windows + description: | + This policy setting determines whether Local System services that use Negotiate when reverting to NTLM authentication can use the computer identity. + resolution: | + Automatic method: + Ask your system administrator to establish the recommended configuration via GP, set the following UI path to 'Enabled': + 'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Allow Local System to use computer identity for NTLM' + query: | + SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\UseMachineId' AND data != 0); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.3.11.1 + contributors: marcosd4h +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure 'Network security Allow LocalSystem NULL session fallback' is set to 'Disabled' + platforms: win10 + platform: windows + description: | + This policy setting determines whether NTLM is allowed to fall back to a NULL session when used with LocalSystem. + resolution: | + Automatic method: + Ask your system administrator to establish the recommended configuration via GP, set the following UI path to 'Disabled': + 'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Allow LocalSystem NULL session fallback' + query: | + SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\MSV1_0\\allownullsessionfallback' AND data == 0); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.3.11.2 + contributors: marcosd4h +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure 'Network Security Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled' + platforms: win10 + platform: windows + description: | + This setting determines if online identities are able to authenticate to this computer. + resolution: | + Automatic method: + Ask your system administrator to establish the recommended configuration via GP, set the following UI path to 'Disabled': + 'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network Security: Allow PKU2U authentication requests to this computer to use online identities' + query: | + SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\pku2u\\AllowOnlineID' AND data == 0); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.3.11.3 + contributors: marcosd4h +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure 'Network security Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types' + platforms: win10 + platform: windows + description: | + This setting determines if online identities are able to authenticate to this computer. + resolution: | + Automatic method: + Ask your system administrator to establish the recommended configuration via GP, set the following UI path to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types': + 'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Configure encryption types allowed for Kerberos' + query: | + SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\Parameters\\SupportedEncryptionTypes' AND ((CAST(data AS INTEGER) & 0x8) AND (CAST(data AS INTEGER) & 0x10) AND (CAST(data AS INTEGER) & 0xe0) AND ((CAST(data AS INTEGER) & 0x1) = 0) AND ((CAST(data AS INTEGER) & 0x2) = 0) AND ((CAST(data AS INTEGER) & 0x4) = 0))); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.3.11.4 + contributors: marcosd4h +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure 'Network security Do not store LAN Manager hash value on next password change' is set to 'Enabled' + platforms: win10 + platform: windows + description: | + This policy setting determines whether the LAN Manager (LM) hash value for the new password is + stored when the password is changed. The LM hash is relatively weak and prone to attack compared + to the cryptographically stronger Microsoft Windows NT hash. Since LM hashes are stored on the + local computer in the security database, passwords can then be easily compromised if the + database is attacked. + resolution: | + Automatic method: + Ask your system administrator to establish the recommended configuration via GP, set the following UI path to 'Enabled': + 'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Do not store LAN Manager hash value on next password change' + query: | + SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\NoLmHash' AND data != 0); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.3.11.5 + contributors: marcosd4h +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure 'Network security Force logoff when logon hours expire' is set to 'Enabled' + platforms: win10 + platform: windows + description: | + This policy setting determines whether to disconnect users who are connected to the local + computer outside their user account's valid logon hours. This setting affects the Server Message + Block (SMB) component. + resolution: | + Automatic method: + Ask your system administrator to establish the recommended configuration via GP, set the following UI path to 'Enabled': + 'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Force logoff when logon hours expire' + query: | + TBD + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.3.11.6, CIS_not_completed + contributors: marcosd4h +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure 'Network security LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM' + platforms: win10 + platform: windows + description: | + LAN Manager (LM) was a family of early Microsoft client/server software (predating Windows NT) + that allowed users to link personal computers together on a single network. LM network + capabilities included transparent file and print sharing, user security features, and network + administration tools. In Active Directory domains, the Kerberos protocol is the default + authentication protocol. + resolution: | + Automatic method: + Ask your system administrator to establish the recommended configuration via GP, set the following UI path to 'Send NTLMv2 response only. Refuse LM & NTLM': + 'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: LAN Manager authentication level' + query: | + SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\LmCompatibilityLevel' AND data == 5); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.3.11.7 + contributors: marcosd4h +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure 'Network security LDAP client signing requirements' is set to 'Negotiate signing or higher' + platforms: win10 + platform: windows + description: | + This policy setting determines the level of data signing that is requested on behalf of clients that issue LDAP BIND requests. + resolution: | + Automatic method: + Ask your system administrator to establish the recommended configuration via GP, set the following UI path to 'Negotiate signing or higher': + 'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: LDAP client signing requirements' + query: | + SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\ldap\\ldapclientintegrity' AND data >= 1); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.3.11.8 + contributors: marcosd4h +--- +apiVersion: v1 +kind: policy spec: name: > CIS - Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled' diff --git a/ee/cis/win-10/test/instructions/CIS_2.3.11.1.txt b/ee/cis/win-10/test/instructions/CIS_2.3.11.1.txt new file mode 100644 index 0000000000..8f35b10b67 --- /dev/null +++ b/ee/cis/win-10/test/instructions/CIS_2.3.11.1.txt @@ -0,0 +1,18 @@ +Expected scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to 'Enabled': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Allow Local System to use computer identity for NTLM' + +2) After running the policy check, it should return 1 indicating that setting was properly set + + + +Failure scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to values different than 'Enabled': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Allow Local System to use computer identity for NTLM' + +2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value + + + diff --git a/ee/cis/win-10/test/instructions/CIS_2.3.11.2.txt b/ee/cis/win-10/test/instructions/CIS_2.3.11.2.txt new file mode 100644 index 0000000000..b893abb11c --- /dev/null +++ b/ee/cis/win-10/test/instructions/CIS_2.3.11.2.txt @@ -0,0 +1,18 @@ +Expected scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to 'Disabled': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Allow LocalSystem NULL session fallback' + +2) After running the policy check, it should return 1 indicating that setting was properly set + + + +Failure scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to values different than 'Disabled': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Allow LocalSystem NULL session fallback' + +2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value + + + diff --git a/ee/cis/win-10/test/instructions/CIS_2.3.11.3.txt b/ee/cis/win-10/test/instructions/CIS_2.3.11.3.txt new file mode 100644 index 0000000000..d4164b4ab6 --- /dev/null +++ b/ee/cis/win-10/test/instructions/CIS_2.3.11.3.txt @@ -0,0 +1,18 @@ +Expected scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to 'Disabled': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network Security: Allow PKU2U authentication requests to this computer to use online identities' + +2) After running the policy check, it should return 1 indicating that setting was properly set + + + +Failure scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to values different than 'Disabled': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network Security: Allow PKU2U authentication requests to this computer to use online identities' + +2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value + + + diff --git a/ee/cis/win-10/test/instructions/CIS_2.3.11.4.txt b/ee/cis/win-10/test/instructions/CIS_2.3.11.4.txt new file mode 100644 index 0000000000..e367234eb3 --- /dev/null +++ b/ee/cis/win-10/test/instructions/CIS_2.3.11.4.txt @@ -0,0 +1,18 @@ +Expected scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to 'AES128_HMAC_SHA1 AND AES256_HMAC_SHA1 AND Future encryption types': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Configure encryption types allowed for Kerberos' + +2) After running the policy check, it should return 1 indicating that setting was properly set + + + +Failure scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to values different than 'AES128_HMAC_SHA1 AND AES256_HMAC_SHA1 AND Future encryption types': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Configure encryption types allowed for Kerberos' + +2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value + + + diff --git a/ee/cis/win-10/test/instructions/CIS_2.3.11.5.txt b/ee/cis/win-10/test/instructions/CIS_2.3.11.5.txt new file mode 100644 index 0000000000..d8b4597b1c --- /dev/null +++ b/ee/cis/win-10/test/instructions/CIS_2.3.11.5.txt @@ -0,0 +1,18 @@ +Expected scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to 'Enabled': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Do not store LAN Manager hash value on next password change' + +2) After running the policy check, it should return 1 indicating that setting was properly set + + + +Failure scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to values different than 'Enabled': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Do not store LAN Manager hash value on next password change' + +2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value + + + diff --git a/ee/cis/win-10/test/instructions/CIS_2.3.11.6.txt b/ee/cis/win-10/test/instructions/CIS_2.3.11.6.txt new file mode 100644 index 0000000000..cd8b86a544 --- /dev/null +++ b/ee/cis/win-10/test/instructions/CIS_2.3.11.6.txt @@ -0,0 +1,18 @@ +Expected scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to 'Enabled': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Force logoff when logon hours expire' + +2) After running the policy check, it should return 1 indicating that setting was properly set + + + +Failure scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to values different than 'Enabled': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Force logoff when logon hours expire' + +2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value + + + diff --git a/ee/cis/win-10/test/instructions/CIS_2.3.11.7.txt b/ee/cis/win-10/test/instructions/CIS_2.3.11.7.txt new file mode 100644 index 0000000000..e367234eb3 --- /dev/null +++ b/ee/cis/win-10/test/instructions/CIS_2.3.11.7.txt @@ -0,0 +1,18 @@ +Expected scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to 'AES128_HMAC_SHA1 AND AES256_HMAC_SHA1 AND Future encryption types': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Configure encryption types allowed for Kerberos' + +2) After running the policy check, it should return 1 indicating that setting was properly set + + + +Failure scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to values different than 'AES128_HMAC_SHA1 AND AES256_HMAC_SHA1 AND Future encryption types': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Configure encryption types allowed for Kerberos' + +2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value + + + diff --git a/ee/cis/win-10/test/instructions/CIS_2.3.11.8.txt b/ee/cis/win-10/test/instructions/CIS_2.3.11.8.txt new file mode 100644 index 0000000000..c77a2dc841 --- /dev/null +++ b/ee/cis/win-10/test/instructions/CIS_2.3.11.8.txt @@ -0,0 +1,18 @@ +Expected scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to 'Negotiate signing or higher': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: LDAP client signing requirements' + +2) After running the policy check, it should return 1 indicating that setting was properly set + + + +Failure scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to values different than 'Negotiate signing or higher': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: LDAP client signing requirements' + +2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value + + +