From a2e8a787c9ad10a3cb3771074e8b07c15344652b Mon Sep 17 00:00:00 2001 From: Marcos Oviedo Date: Fri, 3 Mar 2023 17:05:07 -0300 Subject: [PATCH] Pushing CIS policies check for 2.2.8 to 2.2.39 (#10283) This relates to #9848 --- ee/cis/win-10/cis-policy-queries.yml | 641 ++++++++++++++++++ .../win-10/test/instructions/CIS_2.2.10.txt | 15 + .../win-10/test/instructions/CIS_2.2.11.txt | 15 + .../win-10/test/instructions/CIS_2.2.12.txt | 15 + .../win-10/test/instructions/CIS_2.2.13.txt | 15 + .../win-10/test/instructions/CIS_2.2.14.txt | 15 + .../win-10/test/instructions/CIS_2.2.15.txt | 15 + .../win-10/test/instructions/CIS_2.2.16.txt | 15 + .../win-10/test/instructions/CIS_2.2.17.txt | 15 + .../win-10/test/instructions/CIS_2.2.18.txt | 15 + .../win-10/test/instructions/CIS_2.2.19.txt | 15 + .../win-10/test/instructions/CIS_2.2.20.txt | 15 + .../win-10/test/instructions/CIS_2.2.21.txt | 15 + .../win-10/test/instructions/CIS_2.2.22.txt | 15 + .../win-10/test/instructions/CIS_2.2.23.txt | 15 + .../win-10/test/instructions/CIS_2.2.24.txt | 15 + .../win-10/test/instructions/CIS_2.2.25.txt | 15 + .../win-10/test/instructions/CIS_2.2.26.txt | 15 + .../win-10/test/instructions/CIS_2.2.27.txt | 15 + .../win-10/test/instructions/CIS_2.2.28.txt | 15 + .../win-10/test/instructions/CIS_2.2.29.txt | 15 + .../win-10/test/instructions/CIS_2.2.30.txt | 15 + .../win-10/test/instructions/CIS_2.2.31.txt | 15 + .../win-10/test/instructions/CIS_2.2.32.txt | 15 + .../win-10/test/instructions/CIS_2.2.33.txt | 15 + .../win-10/test/instructions/CIS_2.2.34.txt | 15 + .../win-10/test/instructions/CIS_2.2.35.txt | 15 + .../win-10/test/instructions/CIS_2.2.36.txt | 15 + .../win-10/test/instructions/CIS_2.2.37.txt | 15 + .../win-10/test/instructions/CIS_2.2.38.txt | 15 + .../win-10/test/instructions/CIS_2.2.39.txt | 15 + ee/cis/win-10/test/instructions/CIS_2.2.8.txt | 15 + ee/cis/win-10/test/instructions/CIS_2.2.9.txt | 15 + 33 files changed, 1121 insertions(+) create mode 100644 ee/cis/win-10/test/instructions/CIS_2.2.10.txt create mode 100644 ee/cis/win-10/test/instructions/CIS_2.2.11.txt create mode 100644 ee/cis/win-10/test/instructions/CIS_2.2.12.txt create mode 100644 ee/cis/win-10/test/instructions/CIS_2.2.13.txt create mode 100644 ee/cis/win-10/test/instructions/CIS_2.2.14.txt create mode 100644 ee/cis/win-10/test/instructions/CIS_2.2.15.txt create mode 100644 ee/cis/win-10/test/instructions/CIS_2.2.16.txt create mode 100644 ee/cis/win-10/test/instructions/CIS_2.2.17.txt create mode 100644 ee/cis/win-10/test/instructions/CIS_2.2.18.txt create mode 100644 ee/cis/win-10/test/instructions/CIS_2.2.19.txt create mode 100644 ee/cis/win-10/test/instructions/CIS_2.2.20.txt create mode 100644 ee/cis/win-10/test/instructions/CIS_2.2.21.txt create mode 100644 ee/cis/win-10/test/instructions/CIS_2.2.22.txt create mode 100644 ee/cis/win-10/test/instructions/CIS_2.2.23.txt create mode 100644 ee/cis/win-10/test/instructions/CIS_2.2.24.txt create mode 100644 ee/cis/win-10/test/instructions/CIS_2.2.25.txt create mode 100644 ee/cis/win-10/test/instructions/CIS_2.2.26.txt create mode 100644 ee/cis/win-10/test/instructions/CIS_2.2.27.txt create mode 100644 ee/cis/win-10/test/instructions/CIS_2.2.28.txt create mode 100644 ee/cis/win-10/test/instructions/CIS_2.2.29.txt create mode 100644 ee/cis/win-10/test/instructions/CIS_2.2.30.txt create mode 100644 ee/cis/win-10/test/instructions/CIS_2.2.31.txt create mode 100644 ee/cis/win-10/test/instructions/CIS_2.2.32.txt create mode 100644 ee/cis/win-10/test/instructions/CIS_2.2.33.txt create mode 100644 ee/cis/win-10/test/instructions/CIS_2.2.34.txt create mode 100644 ee/cis/win-10/test/instructions/CIS_2.2.35.txt create mode 100644 ee/cis/win-10/test/instructions/CIS_2.2.36.txt create mode 100644 ee/cis/win-10/test/instructions/CIS_2.2.37.txt create mode 100644 ee/cis/win-10/test/instructions/CIS_2.2.38.txt create mode 100644 ee/cis/win-10/test/instructions/CIS_2.2.39.txt create mode 100644 ee/cis/win-10/test/instructions/CIS_2.2.8.txt create mode 100644 ee/cis/win-10/test/instructions/CIS_2.2.9.txt diff --git a/ee/cis/win-10/cis-policy-queries.yml b/ee/cis/win-10/cis-policy-queries.yml index daf37fb397..20f8b6c914 100644 --- a/ee/cis/win-10/cis-policy-queries.yml +++ b/ee/cis/win-10/cis-policy-queries.yml @@ -343,6 +343,647 @@ spec: --- apiVersion: v1 kind: policy +spec: + name: CIS - Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE' + platforms: win10 + platform: windows + description: | + This policy setting determines which users and groups can change the time and date on the + internal clock of the computers in your environment. Users who are assigned this user right can + affect the appearance of event logs. When a computer's time setting is changed, logged events + reflect the new time, not the actual time that the events occurred. + resolution: | + Automatic method: + Ask your system administrator to establish the recommended configuration via GP, set the following UI path to 'Administrators, LOCAL SERVICE': + 'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Change the system time' + query: | + SELECT 1 FROM mdm_bridge where mdm_command_input = "1./Device/Vendor/MSFT/Policy/Result/UserRights/ChangeSystemTime" AND mdm_command_output LIKE "Administrators%" AND mdm_command_output LIKE "%LOCAL SERVICE"; + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.2.8, english-support-only + contributors: marcosd4h +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE, Users' + platforms: win10 + platform: windows + description: | + This setting determines which users can change the time zone of the computer. This ability holds no great danger for the computer and may be useful for mobile workers. + resolution: | + Automatic method: + Ask your system administrator to establish the recommended configuration via GP, set the following UI path to 'Administrators, LOCAL SERVICE, Users': + 'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Change the time zone' + query: | + tbd + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.2.9, CIS_not_completed, english-support-only + contributors: marcosd4h +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure 'Create a pagefile' is set to 'Administrators' + platforms: win10 + platform: windows + description: | + This policy setting allows users to change the size of the pagefile. By making the pagefile extremely large or extremely small, an attacker could easily affect the performance of a compromised computer. + resolution: | + Automatic method: + Ask your system administrator to establish the recommended configuration via GP, set the following UI path to 'Administrators': + 'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Create a pagefile' + query: | + SELECT 1 FROM mdm_bridge where mdm_command_input = "1./Device/Vendor/MSFT/Policy/Result/UserRights/ChangeSystemTime" AND mdm_command_output LIKE "%Administrators%"; + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.2.10, english-support-only + contributors: marcosd4h +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure 'Create a token object' is set to an empty list + platforms: win10 + platform: windows + description: | + This policy setting allows a process to create an access token, which may provide elevated rights to access sensitive data. + resolution: | + Automatic method: + Ask your system administrator to establish the recommended configuration via GP, set the following UI path to an empty list: + 'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Create a token object' + query: | + SELECT 1 FROM mdm_bridge where mdm_command_input = "1./Device/Vendor/MSFT/Policy/Result/UserRights/CreateToken" AND mdm_command_output == ""; + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.2.11 + contributors: marcosd4h +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' + platforms: win10 + platform: windows + description: | + This policy setting allows users to change the size of the pagefile. By making the pagefile extremely large or extremely small, an attacker could easily affect the performance of a compromised computer. + resolution: | + Automatic method: + Ask your system administrator to establish the recommended configuration via GP, set the following UI path to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE': + 'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Create global objects' + query: | + SELECT 1 FROM mdm_bridge where mdm_command_input = "1./Device/Vendor/MSFT/Policy/Result/UserRights/CreateGlobalObjects" AND (regex_match(mdm_command_output,".*(Administrators|LOCAL SERVICE|NETWORK SERVICE|([^\w\s]SERVICE)).*",0) is not null); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.2.12, english-support-only + contributors: marcosd4h +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure 'Create permanent shared objects' is set to an empty list + platforms: win10 + platform: windows + description: | + This user right is useful to kernel-mode components that extend the object namespace. However, + components that run in kernel mode have this user right inherently. Therefore, it is typically + not necessary to specifically assign this user right. + resolution: | + Automatic method: + Ask your system administrator to establish the recommended configuration via GP, set the following UI path to an empty list: + 'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Create permanent shared objects' + query: | + SELECT 1 FROM mdm_bridge where mdm_command_input = "1./Device/Vendor/MSFT/Policy/Result/UserRights/CreatePermanentSharedObjects" AND mdm_command_output == ""; + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.2.13 + contributors: marcosd4h +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure 'Create symbolic links' is set to 'Administrators or NT VIRTUAL MACHINE\Virtual Machines' + platforms: win10 + platform: windows + description: | + This policy setting determines which users can create symbolic links. In Windows Vista, existing + NTFS file system objects, such as files and folders, can be accessed by referring to a new kind + of file system object called a symbolic link. A symbolic link is a pointer (much like a shortcut + or .lnk file) to another file system object, which can be a file, folder, shortcut or another + symbolic link. The difference between a shortcut and a symbolic link is that a shortcut only + works from within the Windows shell. To other programs and applications, shortcuts are just + another file, whereas with symbolic links, the concept of a shortcut is implemented as a feature + of the NTFS file system. Symbolic links can potentially expose security vulnerabilities in + applications that are not designed to use them. For this reason, the privilege for creating + symbolic links should only be assigned to trusted users. By default, only Administrators can + create symbolic links. + resolution: | + Automatic method: + Ask your system administrator to establish the recommended configuration via GP, set the following UI path to 'Administrators or NT VIRTUAL MACHINE\Virtual Machines' + 'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Create symbolic links' + query: | + SELECT 1 FROM mdm_bridge where mdm_command_input = "1./Device/Vendor/MSFT/Policy/Result/UserRights/CreateSymbolicLinks" AND (regex_match(mdm_command_output,".*(Administrators|Virtual Machines).*",0) is not null); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.2.14, english-support-only + contributors: marcosd4h +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure 'Debug programs' is set to 'Administrators' + platforms: win10 + platform: windows + description: | + This policy setting determines which user accounts will have the right to attach a debugger to + any process or to the kernel, which provides complete access to sensitive and critical operating + system components. Developers who are debugging their own applications do not need to be + assigned this user right; however, developers who are debugging new system components will need it. + resolution: | + Automatic method: + Ask your system administrator to establish the recommended configuration via GP, set the following UI path to 'Administrators' + 'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Debug programs' + query: | + SELECT 1 FROM mdm_bridge where mdm_command_input = "1./Device/Vendor/MSFT/Policy/Result/UserRights/DebugPrograms" AND mdm_command_output == "Administrators"; + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.2.15, english-support-only + contributors: marcosd4h +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure 'Deny access to this computer from the network' includes 'Guest' + platforms: win10 + platform: windows + description: | + This policy setting prohibits users from connecting to a computer from across the network, which + would allow users to access and potentially modify data remotely. In high security environments, + there should be no need for remote users to access data on a computer. Instead, file sharing + should be accomplished through the use of network servers. This user right supersedes the Access + this computer from the network user right if an account is subject to both policies. + resolution: | + Automatic method: + Ask your system administrator to establish the recommended configuration via GP, ensure that the following UI path includes 'Guest' + 'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny access to this computer from the network' + query: | + SELECT 1 FROM mdm_bridge where mdm_command_input = "1./Device/Vendor/MSFT/Policy/Result/UserRights/DenyAccessFromNetwork" AND (regex_match(mdm_command_output,".*(Guest).*",0) is not null); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.2.16, english-support-only + contributors: marcosd4h +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure 'Deny log on as a batch job' includes 'Guest' + platforms: win10 + platform: windows + description: | + This policy setting determines which accounts will not be able to log on to the computer as a + batch job. A batch job is not a batch (.bat) file, but rather a batch-queue facility. Accounts that use the Task Scheduler to schedule jobs need this user right. + resolution: | + Automatic method: + Ask your system administrator to establish the recommended configuration via GP, ensure that the following UI path includes 'Guests' + 'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny log on as a batch job' + query: | + TBD + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.2.17, CIS_not_completed, english-support-only + contributors: marcosd4h +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure 'Deny log on as a service' includes 'Guest' + platforms: win10 + platform: windows + description: | + This security setting determines which service accounts are prevented from registering a process + as a service. This user right supersedes the Log on as a service user right if an account is subject to both policies. + resolution: | + Automatic method: + Ask your system administrator to establish the recommended configuration via GP, ensure that the following UI path includes 'Guests' + 'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny log on as a service' + query: | + TBD + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.2.18, CIS_not_completed, english-support-only + contributors: marcosd4h +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure 'Deny log on locally' includes 'Guest' + platforms: win10 + platform: windows + description: | + This security setting determines which users are prevented from logging on at the computer. This + policy setting supersedes the Allow log on locally policy setting if an account is subject to + both policies. + resolution: | + Automatic method: + Ask your system administrator to establish the recommended configuration via GP, ensure that the following UI path includes 'Guests' + 'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny log on locally' + query: | + SELECT 1 FROM mdm_bridge where mdm_command_input = "1./Device/Vendor/MSFT/Policy/Result/UserRights/DenyLocalLogOn" AND (regex_match(mdm_command_output,".*(Guest).*",0) is not null); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.2.19, english-support-only + contributors: marcosd4h +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure 'Deny log on through Remote Desktop Services' includes 'Guest' + platforms: win10 + platform: windows + description: | + This policy setting determines whether users can log on as Remote Desktop clients. This user right supersedes the Allow log on through Remote Desktop Services user right if an account is subject to both policies. + resolution: | + Automatic method: + Ask your system administrator to establish the recommended configuration via GP, ensure that the following UI path includes 'Guests' + 'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny log on through Remote Desktop Services' + query: | + SELECT 1 FROM mdm_bridge where mdm_command_input = "1./Device/Vendor/MSFT/Policy/Result/UserRights/DenyRemoteDesktopServicesLogOn" AND (regex_match(mdm_command_output,".*(Guest).*",0) is not null); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.2.20, english-support-only + contributors: marcosd4h +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure 'Enable computer and user accounts to be trusted for delegation' is set to an empty list + platforms: win10 + platform: windows + description: | + This policy setting allows users to change the Trusted for Delegation setting on a computer object in Active Directory. Abuse of this privilege could allow unauthorized users to impersonate other users on the network. + resolution: | + Automatic method: + Ask your system administrator to establish the recommended configuration via GP, ensure that the following UI path is set to an empty list + 'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Enable computer and user accounts to be trusted for delegation' + query: | + SELECT 1 FROM mdm_bridge where mdm_command_input = "1./Device/Vendor/MSFT/Policy/Result/UserRights/EnableDelegation" AND mdm_command_output == ""; + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.2.21 + contributors: marcosd4h +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure 'Force shutdown from a remote system' is set to 'Administrators' + platforms: win10 + platform: windows + description: | + This policy setting allows users to shut down Windows Vista-based and newer computers from + remote locations on the network. Anyone who has been assigned this user right can cause a denial + of service (DoS) condition, which would make the computer unavailable to service user requests. + Therefore, it is recommended that only highly trusted administrators be assigned this user. + right. + resolution: | + Automatic method: + Ask your system administrator to establish the recommended configuration via GP, ensure that the following UI path is set to an empty list + 'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Force shutdown from a remote system' + query: | + SELECT 1 FROM mdm_bridge where mdm_command_input = "1./Device/Vendor/MSFT/Policy/Result/UserRights/RemoteShutdown" AND mdm_command_output == "Administrators"; + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.2.22, english-support-only + contributors: marcosd4h +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE' + platforms: win10 + platform: windows + description: | + This policy setting determines which users or processes can generate audit records in the Security log. + resolution: | + Automatic method: + Ask your system administrator to establish the recommended configuration via GP, ensure that the following UI path is set to an empty list + 'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Generate security audits' + query: | + SELECT 1 FROM mdm_bridge where mdm_command_input = "1./Device/Vendor/MSFT/Policy/Result/UserRights/GenerateSecurityAudits" AND (regex_match(mdm_command_output,".*(LOCAL SERVICE|NETWORK SERVICE).*",0) is not null); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.2.23, english-support-only + contributors: marcosd4h +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' + platforms: win10 + platform: windows + description: | + The policy setting allows programs that run on behalf of a user to impersonate that user (or + another specified account) so that they can act on behalf of the user. If this user right is + required for this kind of impersonation, an unauthorized user will not be able to convince a + client to connect—for example, by remote procedure call (RPC) or named pipes—to a service that + they have created to impersonate that client, which could elevate the unauthorized user's permissions to administrative or system levels. + resolution: | + Automatic method: + Ask your system administrator to establish the recommended configuration via GP, ensure that the following UI path is set to an empty list + 'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Impersonate a client after authentication' + query: | + SELECT 1 FROM mdm_bridge where mdm_command_input = "1./Device/Vendor/MSFT/Policy/Result/UserRights/ImpersonateClient" AND (regex_match(mdm_command_output,".*(Administrators|LOCAL SERVICE|NETWORK SERVICE|([^\w\s]SERVICE)).*",0) is not null); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.2.24, english-support-only + contributors: marcosd4h +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure 'Increase scheduling priority' is set to 'Administrators, Window Manager\Window Manager Group' + platforms: win10 + platform: windows + description: | + This policy setting determines whether users can increase the base priority class of a process. + (It is not a privileged operation to increase relative priority within a priority class.) This + user right is not required by administrative tools that are supplied with the operating system but might be required by software development tools. + resolution: | + Automatic method: + Ask your system administrator to establish the recommended configuration via GP, ensure that the following UI path is set to an empty list + 'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Increase scheduling priority' + query: | + SELECT 1 FROM mdm_bridge where mdm_command_input = "1./Device/Vendor/MSFT/Policy/Result/UserRights/IncreaseSchedulingPriority" AND (regex_match(mdm_command_output,".*(Administrators|Window Manager Group).*",0) is not null); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.2.25, english-support-only + contributors: marcosd4h +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure 'Load and unload device drivers' is set to 'Administrators' + platforms: win10 + platform: windows + description: | + This policy setting allows users to dynamically load a new device driver on a system. An + attacker could potentially use this capability to install malicious code that appears to be a + device driver. This user right is required for users to add local printers or printer drivers in + Windows. + resolution: | + Automatic method: + Ask your system administrator to establish the recommended configuration via GP, ensure that the following UI path is set to an empty list + 'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Increase scheduling priority' + query: | + SELECT 1 FROM mdm_bridge where mdm_command_input = "1./Device/Vendor/MSFT/Policy/Result/UserRights/LoadUnloadDeviceDrivers" AND mdm_command_output == "Administrators"; + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.2.26, english-support-only + contributors: marcosd4h +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure 'Lock pages in memory' is set to an empty list + platforms: win10 + platform: windows + description: | + This policy setting allows a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. If this user right is assigned, significant degradation of system performance can occur. + resolution: | + Automatic method: + Ask your system administrator to establish the recommended configuration via GP, ensure that the following UI path is set to an empty list + 'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Lock pages in memory' + query: | + SELECT 1 FROM mdm_bridge where mdm_command_input = "1./Device/Vendor/MSFT/Policy/Result/UserRights/LockMemory" AND mdm_command_output == ""; + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.2.27 + contributors: marcosd4h +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure 'Log on as a batch job' is set to 'Administrators' + platforms: win10 + platform: windows + description: | + This policy setting allows accounts to log on using the task scheduler service. Because the task + scheduler is often used for administrative purposes, it may be needed in enterprise + environments. However, its use should be restricted in high security environments to prevent + misuse of system resources or to prevent attackers from using the right to launch malicious code + after gaining user level access to a computer. + resolution: | + Automatic method: + Ask your system administrator to establish the recommended configuration via GP, ensure that the following UI path is set to an empty list + 'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Log on as a batch job' + query: | + TBD + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.2.28, CIS_not_completed, english-support-only + contributors: marcosd4h +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Configure 'Log on as a service' + platforms: win10 + platform: windows + description: | + This policy setting allows accounts to launch network services or to register a process as a + service running on the system. This user right should be restricted on any computer in a high + security environment, but because many applications may require this privilege, it should be + carefully evaluated and tested before configuring it in an enterprise environment. On Windows + Vista-based (and newer) computers, no users or groups have this privilege by default. + resolution: | + Automatic method: + Ask your system administrator to establish the recommended configuration via GP, ensure that the following UI path is set to an empty list + 'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Log on as a service' + query: | + TBD + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.2.29, CIS_not_completed, english-support-only + contributors: marcosd4h +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure 'Manage auditing and security log' is set to 'Administrators' + platforms: win10 + platform: windows + description: | + This policy setting determines which users can change the auditing options for files and directories and clear the Security log. + resolution: | + Automatic method: + Ask your system administrator to establish the recommended configuration via GP, ensure that the following UI path is set to an empty list + 'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Manage auditing and security log' + query: | + SELECT 1 FROM mdm_bridge where mdm_command_input = "1./Device/Vendor/MSFT/Policy/Result/UserRights/ManageAuditingAndSecurityLog" AND mdm_command_output == "Administrators"; + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.2.30, english-support-only + contributors: marcosd4h +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure 'Modify an object label' is set to an empty list + platforms: win10 + platform: windows + description: | + This privilege determines which user accounts can modify the integrity label of objects, such as + files, registry keys, or processes owned by other users. Processes running under a user account + can modify the label of an object owned by that user to a lower level without this privilege. + resolution: | + Automatic method: + Ask your system administrator to establish the recommended configuration via GP, ensure that the following UI path is set to an empty list + 'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Modify an object label' + query: | + SELECT 1 FROM mdm_bridge where mdm_command_input = "1./Device/Vendor/MSFT/Policy/Result/UserRights/ModifyObjectLabel" AND mdm_command_output == ""; + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.2.31 + contributors: marcosd4h +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure 'Modify firmware environment values' is set to 'Administrators' + platforms: win10 + platform: windows + description: | + This policy setting allows users to configure the system-wide environment variables that affect + hardware configuration. This information is typically stored in the Last Known Good + Configuration. Modification of these values and could lead to a hardware failure that would result in a denial of service condition. + resolution: | + Automatic method: + Ask your system administrator to establish the recommended configuration via GP, ensure that the following UI path is set to an empty list + 'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Modify firmware environment values' + query: | + SELECT 1 FROM mdm_bridge where mdm_command_input = "1./Device/Vendor/MSFT/Policy/Result/UserRights/ModifyFirmwareEnvironment" AND mdm_command_output == "Administrators"; + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.2.32, english-support-only + contributors: marcosd4h +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure 'Perform volume maintenance tasks' is set to 'Administrators' + platforms: win10 + platform: windows + description: | + This policy setting allows users to manage the system's volume or disk configuration, which could allow a user to delete a volume and cause data loss as well as a denial-ofservice condition. + resolution: | + Automatic method: + Ask your system administrator to establish the recommended configuration via GP, ensure that the following UI path is set to an empty list + 'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Perform volume maintenance tasks' + query: | + TBD + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.2.33, CIS_not_completed, english-support-only + contributors: marcosd4h +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure 'Profile single process' is set to 'Administrators' + platforms: win10 + platform: windows + description: | + This policy setting determines which users can use tools to monitor the performance of + non-system processes. Typically, you do not need to configure this user right to use the + Microsoft Management Console (MMC) Performance snap-in. However, you do need this user right if + System Monitor is configured to collect data using Windows Management Instrumentation (WMI). + Restricting the Profile single process user right prevents intruders from gaining additional + information that could be used to mount an attack on the system. + resolution: | + Automatic method: + Ask your system administrator to establish the recommended configuration via GP, ensure that the following UI path is set to an empty list + 'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Profile single process' + query: | + SELECT 1 FROM mdm_bridge where mdm_command_input = "1./Device/Vendor/MSFT/Policy/Result/UserRights/ProfileSingleProcess" AND mdm_command_output == "Administrators"; + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.2.34, english-support-only + contributors: marcosd4h +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost' + platforms: win10 + platform: windows + description: | + This policy setting allows users to use tools to view the performance of different system + processes, which could be abused to allow attackers to determine a system's active processes and + provide insight into the potential attack surface of the computer. + resolution: | + Automatic method: + Ask your system administrator to establish the recommended configuration via GP, ensure that the following UI path is set to an empty list + 'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Profile system performance' + query: | + TBD + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.2.35, CIS_not_completed, english-support-only + contributors: marcosd4h +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE' + platforms: win10 + platform: windows + description: | + This policy setting allows one process or service to start another service or process with a + different security access token, which can be used to modify the security access token of that sub-process and result in the escalation of privileges. + resolution: | + Automatic method: + Ask your system administrator to establish the recommended configuration via GP, ensure that the following UI path is set to an empty list + 'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Replace a process level token' + query: | + TBD + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.2.36, CIS_not_completed, english-support-only + contributors: marcosd4h +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure 'Restore files and directories' is set to 'Administrators' + platforms: win10 + platform: windows + description: | + This policy setting determines which users can bypass file, directory, registry, and other + persistent object permissions when restoring backed up files and directories on computers that + run Windows Vista (or newer) in your environment. This user right also determines which users + can set valid security principals as object owners; it is similar to the Back up files and + directories user right. + resolution: | + Automatic method: + Ask your system administrator to establish the recommended configuration via GP, ensure that the following UI path is set to an empty list + 'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Restore files and directories' + query: | + SELECT 1 FROM mdm_bridge where mdm_command_input = "1./Device/Vendor/MSFT/Policy/Result/UserRights/RestoreFilesAndDirectories" AND mdm_command_output == "Administrators"; + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.2.37, english-support-only + contributors: marcosd4h +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure 'Shut down the system' is set to 'Administrators, Users' + platforms: win10 + platform: windows + description: | + This policy setting determines which users who are logged on locally to the computers in your + environment can shut down the operating system with the Shut Down command. Misuse of this user right can result in a denial of service condition. + resolution: | + Automatic method: + Ask your system administrator to establish the recommended configuration via GP, ensure that the following UI path is set to an empty list + 'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Shut down the system' + query: | + TBD + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.2.38, CIS_not_completed, english-support-only + contributors: marcosd4h +--- +apiVersion: v1 +kind: policy +spec: + name: CIS - Ensure 'Take ownership of files or other objects' is set to 'Administrators' + platforms: win10 + platform: windows + description: | + This policy setting allows users to take ownership of files, folders, registry keys, processes, + or threads. This user right bypasses any permissions that are in place to protect objects to give ownership to the specified user. + resolution: | + Automatic method: + Ask your system administrator to establish the recommended configuration via GP, ensure that the following UI path is set to an empty list + 'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Take ownership of files or other objects' + query: | + SELECT 1 FROM mdm_bridge where mdm_command_input = "1./Device/Vendor/MSFT/Policy/Result/UserRights/TakeOwnership" AND mdm_command_output == "Administrators"; + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.2.39, english-support-only + contributors: marcosd4h +--- +apiVersion: v1 +kind: policy spec: name: CIS - Ensure 'Accounts Administrator account status' is set to 'Disabled' platforms: win10 diff --git a/ee/cis/win-10/test/instructions/CIS_2.2.10.txt b/ee/cis/win-10/test/instructions/CIS_2.2.10.txt new file mode 100644 index 0000000000..94cc29c7f1 --- /dev/null +++ b/ee/cis/win-10/test/instructions/CIS_2.2.10.txt @@ -0,0 +1,15 @@ +Expected scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to 'Administrators': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Create a pagefile' + +2) After running the policy check, it should return 1 indicating that setting was properly set + + + +Failure scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to a value other than 'Administrators': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Create a pagefile' + +2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value \ No newline at end of file diff --git a/ee/cis/win-10/test/instructions/CIS_2.2.11.txt b/ee/cis/win-10/test/instructions/CIS_2.2.11.txt new file mode 100644 index 0000000000..feefa46125 --- /dev/null +++ b/ee/cis/win-10/test/instructions/CIS_2.2.11.txt @@ -0,0 +1,15 @@ +Expected scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to an empty list: +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Create a token object' + +2) After running the policy check, it should return 1 indicating that setting was properly set + + + +Failure scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to a value other than empty list: +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Create a token object' + +2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value \ No newline at end of file diff --git a/ee/cis/win-10/test/instructions/CIS_2.2.12.txt b/ee/cis/win-10/test/instructions/CIS_2.2.12.txt new file mode 100644 index 0000000000..f9544cb379 --- /dev/null +++ b/ee/cis/win-10/test/instructions/CIS_2.2.12.txt @@ -0,0 +1,15 @@ +Expected scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to an empty value: +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Create global objects' + +2) After running the policy check, it should return 1 indicating that setting was properly set + + + +Failure scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to a value other than an empty value: +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Create global objects' + +2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value \ No newline at end of file diff --git a/ee/cis/win-10/test/instructions/CIS_2.2.13.txt b/ee/cis/win-10/test/instructions/CIS_2.2.13.txt new file mode 100644 index 0000000000..f9544cb379 --- /dev/null +++ b/ee/cis/win-10/test/instructions/CIS_2.2.13.txt @@ -0,0 +1,15 @@ +Expected scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to an empty value: +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Create global objects' + +2) After running the policy check, it should return 1 indicating that setting was properly set + + + +Failure scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to a value other than an empty value: +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Create global objects' + +2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value \ No newline at end of file diff --git a/ee/cis/win-10/test/instructions/CIS_2.2.14.txt b/ee/cis/win-10/test/instructions/CIS_2.2.14.txt new file mode 100644 index 0000000000..f37278a184 --- /dev/null +++ b/ee/cis/win-10/test/instructions/CIS_2.2.14.txt @@ -0,0 +1,15 @@ +Expected scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to an empty list: +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Create permanent shared objects' + +2) After running the policy check, it should return 1 indicating that setting was properly set + + + +Failure scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to a value other than an empty list: +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Create permanent shared objects' + +2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value \ No newline at end of file diff --git a/ee/cis/win-10/test/instructions/CIS_2.2.15.txt b/ee/cis/win-10/test/instructions/CIS_2.2.15.txt new file mode 100644 index 0000000000..40defeecd9 --- /dev/null +++ b/ee/cis/win-10/test/instructions/CIS_2.2.15.txt @@ -0,0 +1,15 @@ +Expected scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to 'Administrators': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Debug programs' + +2) After running the policy check, it should return 1 indicating that setting was properly set + + + +Failure scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to a value other than 'Administrators': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Debug programs' + +2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value \ No newline at end of file diff --git a/ee/cis/win-10/test/instructions/CIS_2.2.16.txt b/ee/cis/win-10/test/instructions/CIS_2.2.16.txt new file mode 100644 index 0000000000..f0150d7edb --- /dev/null +++ b/ee/cis/win-10/test/instructions/CIS_2.2.16.txt @@ -0,0 +1,15 @@ +Expected scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to 'Guest': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny access to this computer from the network' + +2) After running the policy check, it should return 1 indicating that setting was properly set + + + +Failure scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to a value other than 'Guest': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny access to this computer from the network' + +2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value \ No newline at end of file diff --git a/ee/cis/win-10/test/instructions/CIS_2.2.17.txt b/ee/cis/win-10/test/instructions/CIS_2.2.17.txt new file mode 100644 index 0000000000..8ea520ca50 --- /dev/null +++ b/ee/cis/win-10/test/instructions/CIS_2.2.17.txt @@ -0,0 +1,15 @@ +Expected scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to 'Guest': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny log on as a batch job' + +2) After running the policy check, it should return 1 indicating that setting was properly set + + + +Failure scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to a value other than 'Guest': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny log on as a batch job' + +2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value \ No newline at end of file diff --git a/ee/cis/win-10/test/instructions/CIS_2.2.18.txt b/ee/cis/win-10/test/instructions/CIS_2.2.18.txt new file mode 100644 index 0000000000..551b04a2b0 --- /dev/null +++ b/ee/cis/win-10/test/instructions/CIS_2.2.18.txt @@ -0,0 +1,15 @@ +Expected scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to 'Guest': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny log on as a service' + +2) After running the policy check, it should return 1 indicating that setting was properly set + + + +Failure scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to a value other than 'Guest': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny log on as a service' + +2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value \ No newline at end of file diff --git a/ee/cis/win-10/test/instructions/CIS_2.2.19.txt b/ee/cis/win-10/test/instructions/CIS_2.2.19.txt new file mode 100644 index 0000000000..37de7130c3 --- /dev/null +++ b/ee/cis/win-10/test/instructions/CIS_2.2.19.txt @@ -0,0 +1,15 @@ +Expected scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to 'Guest': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny log on locally' + +2) After running the policy check, it should return 1 indicating that setting was properly set + + + +Failure scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to a value other than 'Guest': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny log on locally' + +2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value \ No newline at end of file diff --git a/ee/cis/win-10/test/instructions/CIS_2.2.20.txt b/ee/cis/win-10/test/instructions/CIS_2.2.20.txt new file mode 100644 index 0000000000..da092f5a3c --- /dev/null +++ b/ee/cis/win-10/test/instructions/CIS_2.2.20.txt @@ -0,0 +1,15 @@ +Expected scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to 'Guest': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny log on through Remote Desktop Services' + +2) After running the policy check, it should return 1 indicating that setting was properly set + + + +Failure scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to a value other than 'Guest': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny log on through Remote Desktop Services' + +2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value \ No newline at end of file diff --git a/ee/cis/win-10/test/instructions/CIS_2.2.21.txt b/ee/cis/win-10/test/instructions/CIS_2.2.21.txt new file mode 100644 index 0000000000..b09767d6dd --- /dev/null +++ b/ee/cis/win-10/test/instructions/CIS_2.2.21.txt @@ -0,0 +1,15 @@ +Expected scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to an empty list: +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Enable computer and user accounts to be trusted for delegation' + +2) After running the policy check, it should return 1 indicating that setting was properly set + + + +Failure scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to a value other than an empty list: +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Enable computer and user accounts to be trusted for delegation' + +2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value \ No newline at end of file diff --git a/ee/cis/win-10/test/instructions/CIS_2.2.22.txt b/ee/cis/win-10/test/instructions/CIS_2.2.22.txt new file mode 100644 index 0000000000..6c167925aa --- /dev/null +++ b/ee/cis/win-10/test/instructions/CIS_2.2.22.txt @@ -0,0 +1,15 @@ +Expected scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to 'Administrators': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Force shutdown from a remote system' + +2) After running the policy check, it should return 1 indicating that setting was properly set + + + +Failure scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to a value other than 'Administrators': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Force shutdown from a remote system' + +2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value \ No newline at end of file diff --git a/ee/cis/win-10/test/instructions/CIS_2.2.23.txt b/ee/cis/win-10/test/instructions/CIS_2.2.23.txt new file mode 100644 index 0000000000..c9c7434edc --- /dev/null +++ b/ee/cis/win-10/test/instructions/CIS_2.2.23.txt @@ -0,0 +1,15 @@ +Expected scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to 'LOCAL SERVICE, NETWORK SERVICE': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Generate security audits' + +2) After running the policy check, it should return 1 indicating that setting was properly set + + + +Failure scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to a value other than 'LOCAL SERVICE, NETWORK SERVICE': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Generate security audits' + +2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value \ No newline at end of file diff --git a/ee/cis/win-10/test/instructions/CIS_2.2.24.txt b/ee/cis/win-10/test/instructions/CIS_2.2.24.txt new file mode 100644 index 0000000000..53d65906a9 --- /dev/null +++ b/ee/cis/win-10/test/instructions/CIS_2.2.24.txt @@ -0,0 +1,15 @@ +Expected scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to 'Administrators, LOCAL SERVICE, NETWORK SERVICE,SERVICE': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Impersonate a client after authentication' + +2) After running the policy check, it should return 1 indicating that setting was properly set + + + +Failure scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to a value other than 'Administrators, LOCAL SERVICE, NETWORK SERVICE,SERVICE': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Impersonate a client after authentication' + +2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value \ No newline at end of file diff --git a/ee/cis/win-10/test/instructions/CIS_2.2.25.txt b/ee/cis/win-10/test/instructions/CIS_2.2.25.txt new file mode 100644 index 0000000000..611326bb4d --- /dev/null +++ b/ee/cis/win-10/test/instructions/CIS_2.2.25.txt @@ -0,0 +1,15 @@ +Expected scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to 'Administrators, Window Manager\Window Manager Group': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Increase scheduling priority' + +2) After running the policy check, it should return 1 indicating that setting was properly set + + + +Failure scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to a value other than 'Administrators, Window Manager\Window Manager Group': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Increase scheduling priority' + +2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value \ No newline at end of file diff --git a/ee/cis/win-10/test/instructions/CIS_2.2.26.txt b/ee/cis/win-10/test/instructions/CIS_2.2.26.txt new file mode 100644 index 0000000000..14ddbb643f --- /dev/null +++ b/ee/cis/win-10/test/instructions/CIS_2.2.26.txt @@ -0,0 +1,15 @@ +Expected scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to 'Administrators': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Increase scheduling priority' + +2) After running the policy check, it should return 1 indicating that setting was properly set + + + +Failure scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to a value other than 'Administrators': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Increase scheduling priority' + +2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value \ No newline at end of file diff --git a/ee/cis/win-10/test/instructions/CIS_2.2.27.txt b/ee/cis/win-10/test/instructions/CIS_2.2.27.txt new file mode 100644 index 0000000000..0f2a9d47c1 --- /dev/null +++ b/ee/cis/win-10/test/instructions/CIS_2.2.27.txt @@ -0,0 +1,15 @@ +Expected scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to an empty list: +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Lock pages in memory' + +2) After running the policy check, it should return 1 indicating that setting was properly set + + + +Failure scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to a value other than an empty list: +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Lock pages in memory' + +2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value \ No newline at end of file diff --git a/ee/cis/win-10/test/instructions/CIS_2.2.28.txt b/ee/cis/win-10/test/instructions/CIS_2.2.28.txt new file mode 100644 index 0000000000..09b55529d1 --- /dev/null +++ b/ee/cis/win-10/test/instructions/CIS_2.2.28.txt @@ -0,0 +1,15 @@ +Expected scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to 'Administrators': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Log on as a batch job' + +2) After running the policy check, it should return 1 indicating that setting was properly set + + + +Failure scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to a value other than 'Administrators': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Log on as a batch job' + +2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value \ No newline at end of file diff --git a/ee/cis/win-10/test/instructions/CIS_2.2.29.txt b/ee/cis/win-10/test/instructions/CIS_2.2.29.txt new file mode 100644 index 0000000000..b23849e145 --- /dev/null +++ b/ee/cis/win-10/test/instructions/CIS_2.2.29.txt @@ -0,0 +1,15 @@ +Expected scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to 'NT SERVICE\ALL SERVICES': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Log on as a service' + +2) After running the policy check, it should return 1 indicating that setting was properly set + + + +Failure scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to a value other than 'NT SERVICE\ALL SERVICES': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Log on as a service' + +2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value \ No newline at end of file diff --git a/ee/cis/win-10/test/instructions/CIS_2.2.30.txt b/ee/cis/win-10/test/instructions/CIS_2.2.30.txt new file mode 100644 index 0000000000..fc2eef0849 --- /dev/null +++ b/ee/cis/win-10/test/instructions/CIS_2.2.30.txt @@ -0,0 +1,15 @@ +Expected scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to 'Administrators': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Manage auditing and security log' + +2) After running the policy check, it should return 1 indicating that setting was properly set + + + +Failure scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to a value other than 'Administrators': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Manage auditing and security log' + +2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value \ No newline at end of file diff --git a/ee/cis/win-10/test/instructions/CIS_2.2.31.txt b/ee/cis/win-10/test/instructions/CIS_2.2.31.txt new file mode 100644 index 0000000000..8952ad071c --- /dev/null +++ b/ee/cis/win-10/test/instructions/CIS_2.2.31.txt @@ -0,0 +1,15 @@ +Expected scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to an empty list: +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Modify an object label' + +2) After running the policy check, it should return 1 indicating that setting was properly set + + + +Failure scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to a value other than an empty list: +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Modify an object label' + +2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value \ No newline at end of file diff --git a/ee/cis/win-10/test/instructions/CIS_2.2.32.txt b/ee/cis/win-10/test/instructions/CIS_2.2.32.txt new file mode 100644 index 0000000000..a318ef13bc --- /dev/null +++ b/ee/cis/win-10/test/instructions/CIS_2.2.32.txt @@ -0,0 +1,15 @@ +Expected scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to 'Administrators': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Modify firmware environment values' + +2) After running the policy check, it should return 1 indicating that setting was properly set + + + +Failure scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to a value other than 'Administrators': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Modify firmware environment values' + +2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value \ No newline at end of file diff --git a/ee/cis/win-10/test/instructions/CIS_2.2.33.txt b/ee/cis/win-10/test/instructions/CIS_2.2.33.txt new file mode 100644 index 0000000000..56fe445412 --- /dev/null +++ b/ee/cis/win-10/test/instructions/CIS_2.2.33.txt @@ -0,0 +1,15 @@ +Expected scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to 'Administrators': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Perform volume maintenance tasks' + +2) After running the policy check, it should return 1 indicating that setting was properly set + + + +Failure scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to a value other than 'Administrators': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Perform volume maintenance tasks' + +2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value \ No newline at end of file diff --git a/ee/cis/win-10/test/instructions/CIS_2.2.34.txt b/ee/cis/win-10/test/instructions/CIS_2.2.34.txt new file mode 100644 index 0000000000..885b33bc88 --- /dev/null +++ b/ee/cis/win-10/test/instructions/CIS_2.2.34.txt @@ -0,0 +1,15 @@ +Expected scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to 'Administrators': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Profile single process' + +2) After running the policy check, it should return 1 indicating that setting was properly set + + + +Failure scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to a value other than 'Administrators': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Profile single process' + +2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value \ No newline at end of file diff --git a/ee/cis/win-10/test/instructions/CIS_2.2.35.txt b/ee/cis/win-10/test/instructions/CIS_2.2.35.txt new file mode 100644 index 0000000000..29e28d74f7 --- /dev/null +++ b/ee/cis/win-10/test/instructions/CIS_2.2.35.txt @@ -0,0 +1,15 @@ +Expected scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to 'Administrators, NT SERVICE\WdiServiceHost': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Profile system performance' + +2) After running the policy check, it should return 1 indicating that setting was properly set + + + +Failure scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to a value other than 'Administrators, NT SERVICE\WdiServiceHost': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Profile system performance' + +2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value \ No newline at end of file diff --git a/ee/cis/win-10/test/instructions/CIS_2.2.36.txt b/ee/cis/win-10/test/instructions/CIS_2.2.36.txt new file mode 100644 index 0000000000..796c02eddc --- /dev/null +++ b/ee/cis/win-10/test/instructions/CIS_2.2.36.txt @@ -0,0 +1,15 @@ +Expected scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to 'LOCAL SERVICE, NETWORK SERVICE': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Replace a process level token' + +2) After running the policy check, it should return 1 indicating that setting was properly set + + + +Failure scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to a value other than 'LOCAL SERVICE, NETWORK SERVICE': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Replace a process level token' + +2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value \ No newline at end of file diff --git a/ee/cis/win-10/test/instructions/CIS_2.2.37.txt b/ee/cis/win-10/test/instructions/CIS_2.2.37.txt new file mode 100644 index 0000000000..c170a8061b --- /dev/null +++ b/ee/cis/win-10/test/instructions/CIS_2.2.37.txt @@ -0,0 +1,15 @@ +Expected scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to 'Administrators': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Restore files and directories' + +2) After running the policy check, it should return 1 indicating that setting was properly set + + + +Failure scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to a value other than 'Administrators': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Restore files and directories' + +2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value \ No newline at end of file diff --git a/ee/cis/win-10/test/instructions/CIS_2.2.38.txt b/ee/cis/win-10/test/instructions/CIS_2.2.38.txt new file mode 100644 index 0000000000..1550e7a189 --- /dev/null +++ b/ee/cis/win-10/test/instructions/CIS_2.2.38.txt @@ -0,0 +1,15 @@ +Expected scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to 'Administrators, Users': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Shut down the system' + +2) After running the policy check, it should return 1 indicating that setting was properly set + + + +Failure scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to a value other than 'Administrators, Users': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Shut down the system' + +2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value \ No newline at end of file diff --git a/ee/cis/win-10/test/instructions/CIS_2.2.39.txt b/ee/cis/win-10/test/instructions/CIS_2.2.39.txt new file mode 100644 index 0000000000..b735c94868 --- /dev/null +++ b/ee/cis/win-10/test/instructions/CIS_2.2.39.txt @@ -0,0 +1,15 @@ +Expected scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to 'Administrators': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Take ownership of files or other objects' + +2) After running the policy check, it should return 1 indicating that setting was properly set + + + +Failure scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to a value other than 'Administrators': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Take ownership of files or other objects' + +2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value \ No newline at end of file diff --git a/ee/cis/win-10/test/instructions/CIS_2.2.8.txt b/ee/cis/win-10/test/instructions/CIS_2.2.8.txt new file mode 100644 index 0000000000..80228be663 --- /dev/null +++ b/ee/cis/win-10/test/instructions/CIS_2.2.8.txt @@ -0,0 +1,15 @@ +Expected scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to 'Administrators, LOCAL SERVICE': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Change the system time' + +2) After running the policy check, it should return 1 indicating that setting was properly set + + + +Failure scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to a value other than 'Administrators, LOCAL SERVICE': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Change the system time' + +2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value \ No newline at end of file diff --git a/ee/cis/win-10/test/instructions/CIS_2.2.9.txt b/ee/cis/win-10/test/instructions/CIS_2.2.9.txt new file mode 100644 index 0000000000..5bcfcd497d --- /dev/null +++ b/ee/cis/win-10/test/instructions/CIS_2.2.9.txt @@ -0,0 +1,15 @@ +Expected scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to 'Administrators, LOCAL SERVICE, Users': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Change the time zone' + +2) After running the policy check, it should return 1 indicating that setting was properly set + + + +Failure scenario +================== +1) Open "Edit Group Policy" tool and set the following UI path to a value other than 'Administrators, LOCAL SERVICE, Users': +'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Change the time zone' + +2) After running the policy check, it should return nothing, indicating that setting was set to a non-compliant value \ No newline at end of file