diff --git a/changes/10367-fix-false-positive-cis-windows-policies b/changes/10367-fix-false-positive-cis-windows-policies new file mode 100644 index 0000000000..c60a9fbdb6 --- /dev/null +++ b/changes/10367-fix-false-positive-cis-windows-policies @@ -0,0 +1 @@ +- Fix 3 windows cis benchmark policies that had false positive results (Initally merged March 24) diff --git a/ee/cis/win-10/cis-policy-queries.yml b/ee/cis/win-10/cis-policy-queries.yml index 5f2e7e51a6..f01d3c78ef 100644 --- a/ee/cis/win-10/cis-policy-queries.yml +++ b/ee/cis/win-10/cis-policy-queries.yml @@ -4948,7 +4948,7 @@ spec: SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\DoHPolicy' AND data = 2); purpose: Informational tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.5.4.1 - contributors: marcosd4h + contributors: marcosd4h --- apiVersion: v1 kind: policy @@ -5119,7 +5119,7 @@ spec: SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections\NC_StdDomainUserSetLocation' AND data = 1); purpose: Informational tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.5.11.4 - contributors: marcosd4h + contributors: marcosd4h --- apiVersion: v1 kind: policy @@ -5597,7 +5597,7 @@ spec: ); purpose: Informational tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_domain_joined_required, CIS_bullet_18.8.21.5 - contributors: marcosd4h + contributors: marcosd4h --- apiVersion: v1 kind: policy @@ -7356,11 +7356,11 @@ spec: To establish the recommended configuration via GP, set the following UI path to Enabled: 'Computer Configuration\Policies\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives\Deny write access to removable drives not protected by BitLocker' Note: This Group Policy path may not exist by default. It is provided by the Group Policy template VolumeEncryption.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer). - query: + query: | SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Policies\\Microsoft\\FVE\RDVDenyWriteAccess' AND data = 1); purpose: Informational tags: compliance, CIS, CIS_BitLocker, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.11.3.14 - contributors: marcosd4h + contributors: marcosd4h --- apiVersion: v1 kind: policy @@ -7435,7 +7435,7 @@ spec: SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\\Windows\\CloudContent\DisableConsumerAccountStateContent' AND data = 1); purpose: Informational tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.14.1 - contributors: marcosd4h + contributors: marcosd4h --- apiVersion: v1 kind: policy @@ -7602,7 +7602,7 @@ spec: SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\\DisableOneSettingsDownloads' AND data = 1); purpose: Informational tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.17.3 - contributors: marcosd4h + contributors: marcosd4h --- apiVersion: v1 kind: policy @@ -7677,7 +7677,7 @@ spec: SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\LimitDumpCollection' AND data = 1); purpose: Informational tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.17.7 - contributors: marcosd4h + contributors: marcosd4h --- apiVersion: v1 kind: policy @@ -8115,7 +8115,7 @@ spec: ); purpose: Informational tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.47.5.1.2 - contributors: marcosd4h + contributors: marcosd4h --- apiVersion: v1 kind: policy @@ -8172,7 +8172,7 @@ spec: SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\MpEngine\\EnableFileHashComputation' AND data = 1); purpose: Informational tags: compliance, CIS, CIS_Level2, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.47.6.1 - contributors: marcosd4h + contributors: marcosd4h --- apiVersion: v1 kind: policy @@ -8253,7 +8253,7 @@ spec: SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableScriptScanning' AND data = 0); purpose: Informational tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.47.9.4 - contributors: marcosd4h + contributors: marcosd4h --- apiVersion: v1 kind: policy @@ -8567,7 +8567,7 @@ spec: SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services\\fDisableLocationRedir' AND data = 1); purpose: Informational tags: compliance, CIS, CIS_Level2, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.65.3.3.4 - contributors: marcosd4h + contributors: marcosd4h --- apiVersion: v1 kind: policy @@ -9560,9 +9560,8 @@ spec: To establish the recommended configuration via GP, set the following UI path to '0 - Every day': 'Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update\Manage end user experience\Configure Automatic Updates: Scheduled install day' query: | - SELECT EXISTS ( - SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\NoAutoUpdate' AND data = 0) - ) AND EXISTS ( + SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\NoAutoUpdate' AND data = 0) + AND EXISTS ( SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU\\ScheduledInstallDay' AND data = 0) ); purpose: Informational @@ -9618,9 +9617,8 @@ spec: To establish the recommended configuration via GP, set the following UI path to 'Enabled: 180 or more days': 'Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update\Manage updates offered from Windows Update\Windows Update for Business\Select when Preview Builds and Feature Updates are received' query: | - SELECT EXISTS ( - SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\DeferFeatureUpdates' AND data = 1) - ) AND EXISTS ( + SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\DeferFeatureUpdates' AND data = 1) + AND EXISTS ( SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\DeferFeatureUpdatesPeriodInDays' AND data >= 180) ); purpose: Informational @@ -9640,9 +9638,8 @@ spec: To establish the recommended configuration via GP, set the following UI path to 'Enabled: 0 days': 'Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update\Windows Update for Business\Select when Quality Updates are received' query: | - SELECT EXISTS ( - SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\DeferQualityUpdates' AND data = 1) - ) AND EXISTS ( + SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\DeferQualityUpdates' AND data = 1) + AND EXISTS ( SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\DeferQualityUpdatesPeriodInDays' AND data = 0) ); purpose: Informational @@ -9884,7 +9881,7 @@ spec: SELECT 1 FROM registry WHERE (path LIKE 'HKEY_USERS\%\SOFTWARE\Policies\Microsoft\Windows\CloudContent\DisableSpotlightCollectionOnDesktop' AND data = 1); purpose: Informational tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_19.7.8.5 - contributors: marcosd4h + contributors: marcosd4h --- apiVersion: v1 kind: policy