mirror of
https://github.com/fleetdm/fleet
synced 2026-05-24 09:28:54 +00:00
Marcos Oviedo
GitHub
parent
ea8c30a270
commit
a8282864e3
1 changed files with 149 additions and 1 deletions
|
|
@ -3364,4 +3364,152 @@ spec:
|
|||
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.8.14.1
|
||||
contributors: rachelelysia
|
||||
---
|
||||
|
||||
apiVersion: v1
|
||||
kind: policy
|
||||
spec:
|
||||
name: CIS - Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled'
|
||||
platforms: win10
|
||||
platform: windows
|
||||
description: |
|
||||
This policy manages a Windows app's ability to share data between users who have installed the
|
||||
app. Data is shared through the SharedLocal folder. This folder is available through the
|
||||
Windows.Storage API.
|
||||
resolution: |
|
||||
Automatic method:
|
||||
Ask your system administrator to establish the recommended configuration via GP, set the following UI path to 'Disabled':
|
||||
'Computer Configuration\Policies\Administrative Templates\Windows Components\App Package Deployment\Allow a Windows app to share application data between users'
|
||||
query: |
|
||||
SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\AppModel\\StateManager\\AllowSharedLocalAppData' AND data == 0);
|
||||
purpose: Informational
|
||||
tags: compliance, CIS, CIS_Level2, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.4.1
|
||||
contributors: marcosd4h
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: policy
|
||||
spec:
|
||||
name: CIS - Ensure 'Prevent non-admin users from installing packaged Windows apps' is set to 'Enabled'
|
||||
platforms: win10
|
||||
platform: windows
|
||||
description: |
|
||||
This setting manages non-Administrator users' ability to install Windows app packages.
|
||||
resolution: |
|
||||
Automatic method:
|
||||
Ask your system administrator to establish the recommended configuration via GP, set the following UI path to 'Enabled':
|
||||
'Computer Configuration\Policies\Administrative Templates\Windows Components\App Package Deployment\Prevent non-admin users from installing packaged Windows apps'
|
||||
query: |
|
||||
SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Appx\\BlockNonAdminUserInstall' AND data != 0);
|
||||
purpose: Informational
|
||||
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.4.2
|
||||
contributors: marcosd4h
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: policy
|
||||
spec:
|
||||
name: CIS - Ensure 'Let Windows apps activate with voice while the system is locked' is set to 'Enabled Force Deny'
|
||||
platforms: win10
|
||||
platform: windows
|
||||
description: |
|
||||
This policy setting specifies whether Windows apps can be activated by voice (apps and Cortana) while the system is locked.
|
||||
resolution: |
|
||||
Automatic method:
|
||||
Ask your system administrator to establish the recommended configuration via GP, set the following UI path to 'Enabled Force Deny':
|
||||
'Computer Configuration\Policies\Administrative Templates\Windows Components\App Privacy\Let Windows apps activate with voice while the system is locked'
|
||||
query: |
|
||||
SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\AppPrivacy\\LetAppsActivateWithVoiceAboveLock' AND data == 2);
|
||||
purpose: Informational
|
||||
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.5.1
|
||||
contributors: marcosd4h
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: policy
|
||||
spec:
|
||||
name: CIS - Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'
|
||||
platforms: win10
|
||||
platform: windows
|
||||
description: |
|
||||
This policy setting lets you control whether Microsoft accounts are optional for Windows Store
|
||||
apps that require an account to sign in. This policy only affects Windows Store apps that support it.
|
||||
resolution: |
|
||||
Automatic method:
|
||||
Ask your system administrator to establish the recommended configuration via GP, set the following UI path to 'Enabled':
|
||||
'Computer Configuration\Policies\Administrative Templates\Windows Components\App runtime\Allow Microsoft accounts to be optional'
|
||||
query: |
|
||||
SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\MSAOptional' AND data != 0);
|
||||
purpose: Informational
|
||||
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.6.1
|
||||
contributors: marcosd4h
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: policy
|
||||
spec:
|
||||
name: CIS - Ensure 'Block launching Universal Windows apps with Windows Runtime API access from hosted content' is set to 'Enabled'
|
||||
platforms: win10
|
||||
platform: windows
|
||||
description: |
|
||||
This policy setting controls whether Microsoft Store apps with Windows Runtime API access directly from web content can be launched.
|
||||
resolution: |
|
||||
Automatic method:
|
||||
Ask your system administrator to establish the recommended configuration via GP, set the following UI path to 'Enabled':
|
||||
'Computer Configuration\Policies\Administrative Templates\Windows Components\App runtime\Block launching Universal Windows apps with Windows Runtime API access from hosted content'
|
||||
query: |
|
||||
SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\BlockHostedAppAccessWinRT' AND data != 0);
|
||||
purpose: Informational
|
||||
tags: compliance, CIS, CIS_Level2, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.6.2
|
||||
contributors: marcosd4h
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: policy
|
||||
spec:
|
||||
name: CIS - Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'
|
||||
platforms: win10
|
||||
platform: windows
|
||||
description: |
|
||||
This policy setting disallows AutoPlay for MTP devices like cameras or phones.
|
||||
resolution: |
|
||||
Automatic method:
|
||||
Ask your system administrator to establish the recommended configuration via GP, set the following UI path to 'Enabled':
|
||||
'Computer Configuration\Policies\Administrative Templates\Windows Components\AutoPlay Policies\Disallow Autoplay for non-volume devices'
|
||||
query: |
|
||||
SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer\\NoAutoplayfornonVolume' AND data != 0);
|
||||
purpose: Informational
|
||||
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.8.1
|
||||
contributors: marcosd4h
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: policy
|
||||
spec:
|
||||
name: CIS - Ensure 'Set the default behavior for AutoRun' is set to 'Enabled Do not execute any autorun commands'
|
||||
platforms: win10
|
||||
platform: windows
|
||||
description: |
|
||||
This policy setting sets the default behavior for Autorun commands. Autorun commands are
|
||||
generally stored in autorun.inf files. They often launch the installation program or other routines.
|
||||
resolution: |
|
||||
Automatic method:
|
||||
Ask your system administrator to establish the recommended configuration via GP, set the following UI path to 'Enabled Do not execute any autorun commands':
|
||||
'Computer Configuration\Policies\Administrative Templates\Windows Components\AutoPlay Policies\Set the default behavior for AutoRun'
|
||||
query: |
|
||||
SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoAutorun' AND data == 1);
|
||||
purpose: Informational
|
||||
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.8.2
|
||||
contributors: marcosd4h
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: policy
|
||||
spec:
|
||||
name: CIS - Ensure 'Turn off Autoplay' is set to 'Enabled All drives'
|
||||
platforms: win10
|
||||
platform: windows
|
||||
description: |
|
||||
This policy setting sets the default behavior for Autorun commands. Autorun commands are
|
||||
generally stored in autorun.inf files. They often launch the installation program or other routines.
|
||||
resolution: |
|
||||
Automatic method:
|
||||
Ask your system administrator to establish the recommended configuration via GP, set the following UI path to 'Enabled All drives':
|
||||
'Computer Configuration\Policies\Administrative Templates\Windows Components\AutoPlay Policies\Turn off Autoplay'
|
||||
query: |
|
||||
SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoDriveTypeAutoRun' AND data == 255);
|
||||
purpose: Informational
|
||||
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.8.3
|
||||
contributors: marcosd4h
|
||||
---
|
||||
Loading…
Reference in a new issue