mirror of
https://github.com/fleetdm/fleet
synced 2026-05-23 17:08:53 +00:00
Pushing CIS policies from 18.9.103.1 to 18.9.105.2.1 (#10759)
This relates to #10366
This commit is contained in:
Marcos Oviedo
GitHub
parent
4419820707
commit
a576668cad
1 changed files with 75 additions and 0 deletions
|
|
@ -6414,6 +6414,81 @@ spec:
|
|||
---
|
||||
apiVersion: v1
|
||||
kind: policy
|
||||
spec:
|
||||
name: >
|
||||
CIS - Ensure 'Allow Remote Shell Access' is set to 'Disabled'
|
||||
platforms: win10
|
||||
platform: windows
|
||||
description: |
|
||||
This policy setting allows you to manage configuration of remote access to all supported shells to execute scripts and commands.
|
||||
resolution: |
|
||||
To establish the recommended configuration via GP, set the following UI path to 'Disabled':
|
||||
'Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Remote Shell\Allow Remote Shell Access'
|
||||
query: |
|
||||
SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Service\\WinRS\\AllowRemoteShellAccess' AND data = 0);
|
||||
purpose: Informational
|
||||
tags: compliance, CIS, CIS_Level2, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.103.1
|
||||
contributors: marcosd4h
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: policy
|
||||
spec:
|
||||
name: >
|
||||
CIS - Ensure 'Allow clipboard sharing with Windows Sandbox' is set to 'Disabled'
|
||||
platforms: win10
|
||||
platform: windows
|
||||
description: |
|
||||
This policy setting enables or disables clipboard sharing with the Windows sandbox.
|
||||
resolution: |
|
||||
To establish the recommended configuration via GP, set the following UI path to 'Disabled':
|
||||
'Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Sandbox\Allow clipboard sharing with Windows Sandbox'
|
||||
Note: This Group Policy section is provided by the Group Policy template WindowsSandbox.admx/adml that is included with the Microsoft Windows 11 Release 21H2 Administrative Templates (or newer).
|
||||
query: |
|
||||
SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Sandbox\\AllowClipboardRedirection' AND data = 0);
|
||||
purpose: Informational
|
||||
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.104.1
|
||||
contributors: marcosd4h
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: policy
|
||||
spec:
|
||||
name: >
|
||||
CIS - Ensure 'Allow networking in Windows Sandbox' is set to 'Disabled'
|
||||
platforms: win10
|
||||
platform: windows
|
||||
description: |
|
||||
This policy setting enables or disables networking in the Windows Sandbox. Networking is achieved by creating a virtual switch on the host, and connecting the Windows Sandbox to it via a virtual Network Interface Card (NIC).
|
||||
resolution: |
|
||||
To establish the recommended configuration via GP, set the following UI path to 'Disabled':
|
||||
'Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Sandbox\Allow networking in Windows Sandbox'
|
||||
Note: This Group Policy section is provided by the Group Policy template WindowsSandbox.admx/adml that is included with the Microsoft Windows 11 Release 21H2 Administrative Templates (or newer).
|
||||
query: |
|
||||
SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Sandbox\\AllowNetworking' AND data = 0);
|
||||
purpose: Informational
|
||||
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.104.2
|
||||
contributors: marcosd4h
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: policy
|
||||
spec:
|
||||
name: >
|
||||
CIS - Ensure 'Prevent users from modifying settings' is set to 'Enabled'
|
||||
platforms: win10
|
||||
platform: windows
|
||||
description: |
|
||||
This policy setting prevent users from making changes to the Exploit protection settings area in the Windows Security settings.
|
||||
resolution: |
|
||||
To establish the recommended configuration via GP, set the following UI path to 'Enabled':
|
||||
'Computer Configuration\Policies\Administrative Templates\Windows Components\\Windows Security\App and browser protection\Prevent users from modifying settings'
|
||||
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefenderSecurityCenter.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).
|
||||
query: |
|
||||
SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender Security Center\\App and Browser protection\\DisallowExploitProtectionOverride' AND data = 1);
|
||||
purpose: Informational
|
||||
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.105.2.1
|
||||
contributors: marcosd4h
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: policy
|
||||
spec:
|
||||
name: >
|
||||
CIS - Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'
|
||||
|
|
|
|||
Loading…
Reference in a new issue