mirror of
https://github.com/fleetdm/fleet
synced 2026-05-23 00:49:03 +00:00
CIS - WIN10 - 18.8.17 - 18.8.27 (#10430)
This commit is contained in:
RachelElysia
GitHub
parent
99136e4965
commit
95fb828a03
2 changed files with 407 additions and 0 deletions
|
|
@ -320,6 +320,70 @@ spec:
|
|||
---
|
||||
apiVersion: v1
|
||||
kind: policy
|
||||
spec:
|
||||
name: >
|
||||
CIS - Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'
|
||||
platforms: win10
|
||||
platform: windows
|
||||
description: |
|
||||
The "Process even if the Group Policy objects have not changed" option updates and reapplies policies even if the policies have not changed.
|
||||
resolution: |
|
||||
To establish the recommended configuration via GP, set the following UI path to Enabled, then set the Process even if the Group Policy objects have not changed option to TRUE (checked):
|
||||
'Computer Configuration\Policies\Administrative Templates\System\Group Policy\Configure registry policy processing'
|
||||
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template GroupPolicy.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
|
||||
query: |
|
||||
TBD
|
||||
# Registry key wont change on edit (from 1 to 0)
|
||||
# SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Group Policy\\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\NoGPOListChanges' AND data = 0);
|
||||
purpose: Informational
|
||||
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_not_completed, CIS_domain_joined_required, CIS_bullet_18.8.21.3, CIS_not_completed
|
||||
contributors: rachelelysia
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: policy
|
||||
spec:
|
||||
name: >
|
||||
CIS - Ensure 'Continue experiences on this device' is set to 'Disabled'
|
||||
platforms: win10
|
||||
platform: windows
|
||||
description: |
|
||||
This policy setting determines whether the Windows device is allowed to participate in cross-device experiences (continue experiences).
|
||||
resolution: |
|
||||
To establish the recommended configuration via GP, set the following UI path to Disabled:
|
||||
'Computer Configuration\Policies\Administrative Templates\System\Group Policy\Continue experiences on this device'
|
||||
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template GroupPolicy.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
|
||||
query: |
|
||||
TBD
|
||||
# Registry key wont change on edit (from 1 to 0)
|
||||
# SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\EnableCdp' AND data = 0);
|
||||
purpose: Informational
|
||||
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_not_completed, CIS_domain_joined_required, CIS_bullet_18.8.21.4, CIS_not_completed
|
||||
contributors: rachelelysia
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: policy
|
||||
spec:
|
||||
name: >
|
||||
CIS - Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'
|
||||
platforms: win10
|
||||
platform: windows
|
||||
description: |
|
||||
This policy setting prevents Group Policy from being updated while the computer is in use.
|
||||
This policy setting applies to Group Policy for computers, users and Domain Controllers.
|
||||
resolution: |
|
||||
To establish the recommended configuration via GP, set the following UI path to Disabled:
|
||||
'Computer Configuration\Policies\Administrative Templates\System\Group Policy\Turn off background refresh of Group Policy'
|
||||
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template GroupPolicy.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
|
||||
query: |
|
||||
TBD
|
||||
# DisableBkGndGroupPolicy registry path does not exist even with psexec.exe
|
||||
# Untested: SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\DisableBkGndGroupPolicy' AND data = 0);
|
||||
purpose: Informational
|
||||
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_not_completed, CIS_domain_joined_required, CIS_bullet_18.8.21.5
|
||||
contributors: rachelelysia
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: policy
|
||||
spec:
|
||||
name: >
|
||||
CIS - Ensure 'Turn off cloud consumer account state content' is set to 'Enabled'
|
||||
|
|
|
|||
|
|
@ -3366,6 +3366,349 @@ spec:
|
|||
---
|
||||
apiVersion: v1
|
||||
kind: policy
|
||||
spec:
|
||||
name: >
|
||||
CIS - Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'
|
||||
platforms: win10
|
||||
platform: windows
|
||||
description: |
|
||||
The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart.
|
||||
resolution: |
|
||||
To establish the recommended configuration via GP, set the following UI path to Enabled, then set the Do not apply during periodic background processing option to FALSE (unchecked):
|
||||
'Computer Configuration\Policies\Administrative Templates\System\Group Policy\Configure registry policy processing'
|
||||
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template GroupPolicy.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
|
||||
query: |
|
||||
SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Group Policy\\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\NoBackgroundPolicy' AND data = 0);
|
||||
purpose: Informational
|
||||
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_group_policy_template_required, CIS_bullet_18.8.21.2
|
||||
contributors: rachelelysia
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: policy
|
||||
spec:
|
||||
name: >
|
||||
CIS - Ensure 'Turn off access to the Store' is set to 'Enabled'
|
||||
platforms: win10
|
||||
platform: windows
|
||||
description: |
|
||||
This policy setting specifies whether to use the Store service for finding an application to open a file with an unhandled file type or protocol association. When a user opens a file type or protocol that is not associated with any applications on the computer, the user is given the choice to select a local application or use the Store service to find an application.
|
||||
resolution: |
|
||||
To establish the recommended configuration via GP, set the following UI path to Enabled:
|
||||
'Computer Configuration\Policies\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off access to the Store'
|
||||
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ICM.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
|
||||
query: |
|
||||
SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer\NoUseStoreOpenWith' AND data = 1);
|
||||
purpose: Informational
|
||||
tags: compliance, CIS, CIS_Level2, CIS_win10_enterprise_1.12.0, CIS_group_policy_template_required, CIS_bullet_18.8.22.1.1
|
||||
contributors: rachelelysia
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: policy
|
||||
spec:
|
||||
name: >
|
||||
CIS - Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'
|
||||
platforms: win10
|
||||
platform: windows
|
||||
description: |
|
||||
This policy setting controls whether the computer can download print driver packages over HTTP. To set up HTTP printing, printer drivers that are not available in the standard operating system installation might need to be downloaded over HTTP.
|
||||
resolution: |
|
||||
To establish the recommended configuration via GP, set the following UI path to Enabled:
|
||||
'Computer Configuration\Policies\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off downloading of print drivers over HTTP'
|
||||
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ICM.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
|
||||
query: |
|
||||
SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\DisableWebPnPDownload' AND data = 1);
|
||||
purpose: Informational
|
||||
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_group_policy_template_required, CIS_bullet_18.8.22.1.2
|
||||
contributors: rachelelysia
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: policy
|
||||
spec:
|
||||
name: >
|
||||
CIS - Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'
|
||||
platforms: win10
|
||||
platform: windows
|
||||
description: |
|
||||
This setting turns off data sharing from the handwriting recognition personalization tool.
|
||||
The handwriting recognition personalization tool enables Tablet PC users to adapt handwriting recognition to their own writing style by providing writing samples. The tool can optionally share user writing samples with Microsoft to improve handwriting recognition in future versions of Windows. The tool generates reports and transmits them to Microsoft over a secure connection.
|
||||
resolution: |
|
||||
To establish the recommended configuration via GP, set the following UI path to Enabled:
|
||||
'Computer Configuration\Policies\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off handwriting personalization data sharing'
|
||||
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ShapeCollector.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
|
||||
query: |
|
||||
SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\TabletPC\PreventHandwritingDataSharing' AND data = 1);
|
||||
purpose: Informational
|
||||
tags: compliance, CIS, CIS_Level2, CIS_win10_enterprise_1.12.0, CIS_group_policy_template_required, CIS_bullet_18.8.22.1.3
|
||||
contributors: rachelelysia
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: policy
|
||||
spec:
|
||||
name: >
|
||||
CIS - Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'
|
||||
platforms: win10
|
||||
platform: windows
|
||||
description: |
|
||||
Turns off the handwriting recognition error reporting tool.
|
||||
The handwriting recognition error reporting tool enables users to report errors encountered in Tablet PC Input Panel. The tool generates error reports and transmits them to Microsoft over a secure connection. Microsoft uses these error reports to improve handwriting recognition in future versions of Windows.
|
||||
resolution: |
|
||||
To establish the recommended configuration via GP, set the following UI path to Enabled:
|
||||
'Computer Configuration\Policies\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off handwriting recognition error reporting'
|
||||
Note: This Group Policy path is provided by the Group Policy template InkWatson.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates.
|
||||
query: |
|
||||
SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\HandwritingErrorReports\PreventHandwritingErrorReports' AND data = 1);
|
||||
purpose: Informational
|
||||
tags: compliance, CIS, CIS_Level2, CIS_win10_enterprise_1.12.0, CIS_group_policy_template_required, CIS_bullet_18.8.22.1.4
|
||||
contributors: rachelelysia
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: policy
|
||||
spec:
|
||||
name: >
|
||||
CIS - Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'
|
||||
platforms: win10
|
||||
platform: windows
|
||||
description: |
|
||||
This policy setting specifies whether the Internet Connection Wizard can connect to Microsoft to download a list of Internet Service Providers (ISPs).
|
||||
resolution: |
|
||||
To establish the recommended configuration via GP, set the following UI path to Enabled:
|
||||
'Computer Configuration\Policies\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com'
|
||||
Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates.
|
||||
query: |
|
||||
SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Internet Connection Wizard\ExitOnMSICW' AND data = 1);
|
||||
purpose: Informational
|
||||
tags: compliance, CIS, CIS_Level2, CIS_win10_enterprise_1.12.0, CIS_group_policy_template_required, CIS_bullet_18.8.22.1.5
|
||||
contributors: rachelelysia
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: policy
|
||||
spec:
|
||||
name: >
|
||||
CIS - Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'
|
||||
platforms: win10
|
||||
platform: windows
|
||||
description: |
|
||||
This policy setting controls whether Windows will download a list of providers for the Web publishing and online ordering wizards.
|
||||
resolution: |
|
||||
To establish the recommended configuration via GP, set the following UI path to Enabled:
|
||||
'Computer Configuration\Policies\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off Internet download for Web publishing and online ordering wizards'
|
||||
Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates.
|
||||
query: |
|
||||
SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\NoWebServices' AND data = 1);
|
||||
purpose: Informational
|
||||
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_group_policy_template_required, CIS_bullet_18.8.22.1.6
|
||||
contributors: rachelelysia
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: policy
|
||||
spec:
|
||||
name: >
|
||||
CIS - Ensure 'Turn off printing over HTTP' is set to 'Enabled'
|
||||
platforms: win10
|
||||
platform: windows
|
||||
description: |
|
||||
This policy setting allows you to disable the client computer's ability to print over HTTP, which allows the computer to print to printers on the intranet as well as the Internet.
|
||||
resolution: |
|
||||
To establish the recommended configuration via GP, set the following UI path to Enabled:
|
||||
'Computer Configuration\Policies\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off printing over HTTP'
|
||||
Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates.
|
||||
query: |
|
||||
SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\DisableHTTPPrinting' AND data = 1);
|
||||
purpose: Informational
|
||||
tags: compliance, CIS, CIS_Level2, CIS_win10_enterprise_1.12.0, CIS_group_policy_template_required, CIS_bullet_18.8.22.1.7
|
||||
contributors: rachelelysia
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: policy
|
||||
spec:
|
||||
name: >
|
||||
CIS - Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'
|
||||
platforms: win10
|
||||
platform: windows
|
||||
description: |
|
||||
This policy setting specifies whether the Windows Registration Wizard connects to Microsoft.com for online registration.
|
||||
resolution: |
|
||||
To establish the recommended configuration via GP, set the following UI path to Enabled:
|
||||
'Computer Configuration\Policies\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off Registration if URL connection is referring to Microsoft.com'
|
||||
Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates.
|
||||
query: |
|
||||
SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Registration Wizard Control\NoRegistration' AND data = 1);
|
||||
purpose: Informational
|
||||
tags: compliance, CIS, CIS_Level2, CIS_win10_enterprise_1.12.0, CIS_group_policy_template_required, CIS_bullet_18.8.22.1.8
|
||||
contributors: rachelelysia
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: policy
|
||||
spec:
|
||||
name: >
|
||||
CIS - Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'
|
||||
platforms: win10
|
||||
platform: windows
|
||||
description: |
|
||||
This policy setting specifies whether Search Companion should automatically download content updates during local and Internet searches.
|
||||
resolution: |
|
||||
To establish the recommended configuration via GP, set the following UI path to Enabled:
|
||||
'Computer Configuration\Policies\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off Search Companion content file updates'
|
||||
Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates.
|
||||
query: |
|
||||
SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SearchCompanion\DisableContentFileUpdates' AND data = 1);
|
||||
purpose: Informational
|
||||
tags: compliance, CIS, CIS_Level2, CIS_win10_enterprise_1.12.0, CIS_group_policy_template_required, CIS_bullet_18.8.22.1.9
|
||||
contributors: rachelelysia
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: policy
|
||||
spec:
|
||||
name: >
|
||||
CIS - Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'
|
||||
platforms: win10
|
||||
platform: windows
|
||||
description: |
|
||||
This policy setting specifies whether the "Order Prints Online" task is available from Picture Tasks in Windows folders.
|
||||
The Order Prints Online Wizard is used to download a list of providers and allow users to order prints online.
|
||||
resolution: |
|
||||
To establish the recommended configuration via GP, set the following UI path to Enabled:
|
||||
'Computer Configuration\Policies\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off the "Order Prints" picture task'
|
||||
Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates.
|
||||
query: |
|
||||
SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\NoOnlinePrintsWizard' AND data = 1);
|
||||
purpose: Informational
|
||||
tags: compliance, CIS, CIS_Level2, CIS_win10_enterprise_1.12.0, CIS_group_policy_template_required, CIS_bullet_18.8.22.1.10
|
||||
contributors: rachelelysia
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: policy
|
||||
spec:
|
||||
name: >
|
||||
CIS - Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'
|
||||
platforms: win10
|
||||
platform: windows
|
||||
description: |
|
||||
This policy setting specifies whether the tasks Publish this file to the Web, Publish this folder to the Web, and Publish the selected items to the Web are available from File and Folder Tasks in Windows folders. The Web Publishing wizard is used to download a list of providers and allow users to publish content to the Web.
|
||||
resolution: |
|
||||
To establish the recommended configuration via GP, set the following UI path to Enabled:
|
||||
'Computer Configuration\Policies\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off the "Publish to Web" task for files and folders'
|
||||
query: |
|
||||
SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\NoPublishingWizard' AND data = 1);
|
||||
purpose: Informational
|
||||
tags: compliance, CIS, CIS_Level2, CIS_win10_enterprise_1.12.0, CIS_group_policy_template_required, CIS_bullet_18.8.22.1.11
|
||||
contributors: rachelelysia
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: policy
|
||||
spec:
|
||||
name: >
|
||||
CIS - Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'
|
||||
platforms: win10
|
||||
platform: windows
|
||||
description: |
|
||||
This policy setting specifies whether the Windows Customer Experience Improvement Program can collect anonymous information about how Windows is used. Microsoft uses information collected through the Windows Customer Experience Improvement Program to improve features that are most used and to detect flaws so that they can be corrected more quickly. Enabling this setting will reduce the amount of data Microsoft is able to gather for this purpose.
|
||||
resolution: |
|
||||
To establish the recommended configuration via GP, set the following UI path to Enabled:
|
||||
'Computer Configuration\Policies\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off the Windows Messenger Customer Experience Improvement Program'
|
||||
query: |
|
||||
SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Messenger\\Client\CEIP' AND data = 2);
|
||||
purpose: Informational
|
||||
tags: compliance, CIS, CIS_Level2, CIS_win10_enterprise_1.12.0, CIS_group_policy_template_required, CIS_bullet_18.8.22.1.12
|
||||
contributors: rachelelysia
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: policy
|
||||
spec:
|
||||
name: >
|
||||
CIS - Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'
|
||||
platforms: win10
|
||||
platform: windows
|
||||
description: |
|
||||
This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used.
|
||||
Microsoft uses information collected through the Windows Customer Experience Improvement Program to detect software flaws so that they can be corrected more quickly, enabling this setting will reduce the amount of data Microsoft is able to gather for this purpose.
|
||||
resolution: |
|
||||
To establish the recommended configuration via GP, set the following UI path to Enabled:
|
||||
'Computer Configuration\Policies\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off Windows Customer Experience Improvement Program'
|
||||
query: |
|
||||
SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SQMClient\\Windows\CEIPEnable' AND data = 0);
|
||||
purpose: Informational
|
||||
tags: compliance, CIS, CIS_Level2, CIS_win10_enterprise_1.12.0, CIS_group_policy_template_required, CIS_bullet_18.8.22.1.13
|
||||
contributors: rachelelysia
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: policy
|
||||
spec:
|
||||
name: >
|
||||
CIS - Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'
|
||||
platforms: win10
|
||||
platform: windows
|
||||
description: |
|
||||
This policy setting controls whether or not errors are reported to Microsoft. Error Reporting is used to report information about a system or application that has failed or has stopped responding and is used to improve the quality of the product.
|
||||
resolution: |
|
||||
To establish the recommended configuration via GP, set the following UI path to Enabled:
|
||||
'Computer Configuration\Policies\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off Windows Error Reporting'
|
||||
query: |
|
||||
SELECT COUNT(*) FROM registry WHERE ((path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Error Reporting\Disabled' AND data = 1) OR (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\PCHealth\\ErrorReporting\DoReport' AND data = 0))=2;
|
||||
purpose: Informational
|
||||
tags: compliance, CIS, CIS_Level2, CIS_win10_enterprise_1.12.0, CIS_group_policy_template_required, CIS_bullet_18.8.22.1.14
|
||||
contributors: rachelelysia
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: policy
|
||||
spec:
|
||||
name: >
|
||||
CIS - Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic'
|
||||
platforms: win10
|
||||
platform: windows
|
||||
description: |
|
||||
This policy setting allows you to set support for Kerberos to attempt authentication using the certificate for the device to the domain.
|
||||
Support for device authentication using certificate will require connectivity to a DC in the device account domain which supports certificate authentication for computer accounts.
|
||||
resolution: |
|
||||
To establish the recommended configuration via GP, set the following UI path to Enabled: Automatic:
|
||||
'Computer Configuration\Policies\Administrative Templates\System\Kerberos\Support device authentication using certificate'
|
||||
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Kerberos.admx/adml that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer).
|
||||
query: |
|
||||
SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\kerberos\\parameters\DevicePKInitBehavior' AND data = 0) AND (SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\kerberos\\parameters\DevicePKInitEnabled' AND data = 1));
|
||||
purpose: Informational
|
||||
tags: compliance, CIS, CIS_Level2, CIS_win10_enterprise_1.12.0, CIS_group_policy_template_required, CIS_bullet_18.8.25.1
|
||||
contributors: rachelelysia
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: policy
|
||||
spec:
|
||||
name: >
|
||||
CIS - Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All'
|
||||
platforms: win10
|
||||
platform: windows
|
||||
description: |
|
||||
This policy is intended to provide additional security against external DMA-capable devices. It allows for more control over the enumeration of external DMA-capable devices that are not compatible with DMA Remapping/device memory isolation and sandboxing.
|
||||
resolution: |
|
||||
To establish the recommended configuration via GP, set the following UI path to Enabled: Block All:
|
||||
'Computer Configuration\Policies\Administrative Templates\System\Kernel DMA Protection\Enumeration policy for external devices incompatible with Kernel DMA Protection'
|
||||
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DmaGuard.admx/adml that is included with the Microsoft Windows 10 Release 1809 & Server 2019 Administrative Templates (or newer).
|
||||
query: |
|
||||
SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Kernel DMA Protection\DeviceEnumerationPolicy' AND data = 0);
|
||||
purpose: Informational
|
||||
tags: compliance, CIS, CIS_LevelBL, CIS_win10_enterprise_1.12.0, CIS_group_policy_template_required, CIS_bullet_18.8.26.1
|
||||
contributors: rachelelysia
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: policy
|
||||
spec:
|
||||
name: >
|
||||
CIS - Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled' (Automated)
|
||||
platforms: win10
|
||||
platform: windows
|
||||
description: |
|
||||
This policy prevents automatic copying of user input methods to the system account for use on the sign-in screen. The user is restricted to the set of input methods that are enabled in the system account.
|
||||
resolution: |
|
||||
To establish the recommended configuration via GP, set the following UI path to Enabled:
|
||||
'Computer Configuration\Policies\Administrative Templates\System\Locale Services\Disallow copying of user input methods to the system account for sign-in'
|
||||
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Globalization.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
|
||||
query: |
|
||||
SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Control Panel\\International\BlockUserInputMethodsForSignIn' AND data = 1);
|
||||
purpose: Informational
|
||||
tags: compliance, CIS, CIS_Level2, CIS_win10_enterprise_1.12.0, CIS_group_policy_template_required, CIS_bullet_18.8.27.1
|
||||
contributors: rachelelysia
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: policy
|
||||
spec:
|
||||
name: >
|
||||
CIS - Ensure 'Block user from showing account details on sign-in' is set to 'Enabled'
|
||||
|
|
|
|||
Loading…
Reference in a new issue