diff --git a/ee/cis/win-10/cis-NON-COMPLETED-policy-queries.yml b/ee/cis/win-10/cis-NON-COMPLETED-policy-queries.yml index 576fa10ab3..f7d6d3bcb6 100644 --- a/ee/cis/win-10/cis-NON-COMPLETED-policy-queries.yml +++ b/ee/cis/win-10/cis-NON-COMPLETED-policy-queries.yml @@ -320,6 +320,26 @@ spec: --- apiVersion: v1 kind: policy +spec: + name: > + CIS - Ensure 'Configure DNS over HTTPS (DoH) name resolution' is set to 'Enabled: Allow DoH' or higher + platforms: win11 + platform: windows + description: | + This policy is meant for Windows 11. + This setting determines if DNS over HTTPS (DoH) is used by the system. DNS over HTTPS (DoH) is a protocol for performing remote Domain Name System (DNS) resolution over the Hypertext Transfer Protocol Secure (HTTPS). For additional information on DNS over HTTPS (DoH), visit: Secure DNS Client over HTTPS (DoH) on Windows Server 2022 | Microsoft Docs. + The recommended state for this setting is: 'Enabled: Allow DoH'. Configuring this setting to 'Enabled: Require DoH' also conforms to the benchmark. + resolution: | + To establish the recommended configuration via GP, set the following UI path to Enabled: Allow DoH (configuring to Enabled: Require DoH also conforms to the benchmark): + 'Computer Configuration\Policies\Administrative Templates\Network\DNS Client\Configure DNS over HTTPS (DoH) name resolution' + query: | + SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\DoHPolicy' AND data IN (2,3)); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.5.4.1, CIS_not_completed + contributors: DefensiveDepth +--- +apiVersion: v1 +kind: policy spec: name: > CIS - Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE' @@ -477,5 +497,3 @@ spec: purpose: Informational tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.17.7, CIS_not_completed contributors: rachelelysia ---- - diff --git a/ee/cis/win-10/cis-policy-queries.yml b/ee/cis/win-10/cis-policy-queries.yml index ef00717116..c7a8baa381 100644 --- a/ee/cis/win-10/cis-policy-queries.yml +++ b/ee/cis/win-10/cis-policy-queries.yml @@ -3114,6 +3114,177 @@ spec: --- apiVersion: v1 kind: policy +spec: + name: > + CIS - Ensure 'Turn off multicast name resolution' is set to 'Enabled' + platforms: win10 + platform: windows + description: | + LLMNR is a secondary name resolution protocol. With LLMNR, queries are sent using multicast over a local network link on a single subnet from a client computer to another client computer on the same subnet that also has LLMNR enabled. LLMNR does not require a DNS server or DNS client configuration, and provides name resolution in scenarios in which conventional DNS name resolution is not possible. + The recommended state for this setting is: Enabled. + resolution: | + To establish the recommended configuration via GP, set the following UI path to Enabled: + 'Computer Configuration\Policies\Administrative Templates\Network\DNS Client\Turn off multicast name resolution' + query: | + SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\EnableMulticast' AND data = 0); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.5.4.2 + contributors: DefensiveDepth +--- +apiVersion: v1 +kind: policy +spec: + name: > + CIS - Ensure 'Enable Font Providers' is set to 'Disabled' + platforms: win10 + platform: windows + description: | + This policy setting determines whether Windows is allowed to download fonts and font catalog data from an online font provider. + The recommended state for this setting is: Disabled. + resolution: | + To establish the recommended configuration via GP, set the following UI path to Disabled: + 'Computer Configuration\Policies\Administrative Templates\Network\Fonts\Enable Font Providers' + query: | + SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\EnableFontProviders' AND data = 0); + purpose: Informational + tags: compliance, CIS, CIS_Level2, CIS_win10_enterprise_1.12.0, CIS_bullet_18.5.5.1 + contributors: DefensiveDepth +--- +apiVersion: v1 +kind: policy +spec: + name: > + CIS - Ensure 'Enable insecure guest logons' is set to 'Disabled' + platforms: win10 + platform: windows + description: | + This policy setting determines if the SMB client will allow insecure guest logons to an SMB server. + The recommended state for this setting is: Disabled. + resolution: | + To establish the recommended configuration via GP, set the following UI path to Disabled: + 'Computer Configuration\Policies\Administrative Templates\Network\Lanman Workstation\Enable insecure guest logons' + query: | + SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation\AllowInsecureGuestAuth' AND data = 0); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.5.8.1 + contributors: DefensiveDepth +--- +apiVersion: v1 +kind: policy +spec: + name: > + CIS - Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' + platforms: win10 + platform: windows + description: | + This policy setting changes the operational behavior of the Mapper I/O network protocol driver. LLTDIO allows a computer to discover the topology of a network it's connected to. It also allows a computer to initiate Quality-of-Service requests such as bandwidth estimation and network health analysis. + The recommended state for this setting is: Disabled. + resolution: | + To establish the recommended configuration via GP, set the following UI path to Disabled: + 'Computer Configuration\Policies\Administrative Templates\Network\Link-Layer Topology Discovery\Turn on Mapper I/O (LLTDIO) driver' + query: | + SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD\EnableLLTDIO' AND data = 0); + purpose: Informational + tags: compliance, CIS, CIS_Level2, CIS_win10_enterprise_1.12.0, CIS_bullet_18.5.9.1 + contributors: DefensiveDepth +--- +apiVersion: v1 +kind: policy +spec: + name: > + CIS - Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' + platforms: win10 + platform: windows + description: | + This policy setting changes the operational behavior of the Responder network protocol driver. The Responder allows a computer to participate in Link Layer Topology Discovery requests so that it can be discovered and located on the network. It also allows a computer to participate in Quality-of-Service activities such as bandwidth estimation and network health analysis. + The recommended state for this setting is: Disabled. + resolution: | + To establish the recommended configuration via GP, set the following UI path to On (recommended): + 'Computer Configuration\Policies\Administrative Templates\Network\Link-Layer Topology Discovery\Turn on Responder (RSPNDR) driver' + query: | + SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD\EnableRspndr' AND data = 0); + purpose: Informational + tags: compliance, CIS, CIS_Level2, CIS_win10_enterprise_1.12.0, CIS_bullet_18.5.9.2 + contributors: DefensiveDepth +--- +apiVersion: v1 +kind: policy +spec: + name: > + CIS - Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled' + platforms: win10 + platform: windows + description: | + The Peer Name Resolution Protocol (PNRP) allows for distributed resolution of a name to an IPv6 address and port number. The protocol operates in the context of clouds. A cloud is a set of peer computers that can communicate with each other by using the same IPv6 scope.Peer-to-Peer protocols allow for applications in the areas of RTC, collaboration, content distribution and distributed processing. + The recommended state for this setting is: Enabled. + resolution: | + To establish the recommended configuration via GP, set the following UI path to Enabled: + 'Computer Configuration\Policies\Administrative Templates\Network\Microsoft Peer-to-Peer Networking Services\Turn off Microsoft Peer-to-Peer Networking Services' + query: | + SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet\Disabled' AND data = 1); + purpose: Informational + tags: compliance, CIS, CIS_Level2, CIS_win10_enterprise_1.12.0, CIS_bullet_18.5.10.2 + contributors: DefensiveDepth +--- +apiVersion: v1 +kind: policy +spec: + name: > + CIS - Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled' + platforms: win10 + platform: windows + description: | + You can use this procedure to control a user's ability to install and configure a Network Bridge.. + The recommended state for this setting is: Enabled. + resolution: | + To establish the recommended configuration via GP, set the following UI path to Enabled: + 'Computer Configuration\Policies\Administrative Templates\Network\Network Connections\Prohibit installation and configuration of Network Bridge on your DNS domain network' + query: | + SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections\NC_AllowNetBridge_NLA' AND data = 0); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.5.11.2 + contributors: DefensiveDepth +--- +apiVersion: v1 +kind: policy +spec: + name: > + CIS - Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled' + platforms: win10 + platform: windows + description: | + Although this "legacy" setting traditionally applied to the use of Internet Connection Sharing (ICS) in Windows 2000, Windows XP & Server 2003, this setting now freshly applies to the Mobile Hotspot feature in Windows 10 & Server 2016. + The recommended state for this setting is: Enabled. + resolution: | + To establish the recommended configuration via GP, set the following UI path to On (recommended): + 'Computer Configuration\Policies\Administrative Templates\Network\Network Connections\Prohibit use of Internet Connection Sharing on your DNS domain network' + query: | + SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections\NC_ShowSharedAccessUI' AND data = 0); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.5.11.3 + contributors: DefensiveDepth +--- +apiVersion: v1 +kind: policy +spec: + name: > + CIS - Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled' + platforms: win10 + platform: windows + description: | + This policy setting determines whether to require domain users to elevate when setting a network's location. + The recommended state for this setting is: Enabled. + resolution: | + To establish the recommended configuration via GP, set the following UI path to On (recommended): + 'Computer Configuration\Policies\Administrative Templates\Network\Network Connections\Require domain users to elevate when setting a network's location' + query: | + SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections\NC_StdDomainUserSetLocation' AND data = 1); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.5.11.4 + contributors: DefensiveDepth +--- +apiVersion: v1 +kind: policy spec: name: > CIS - Ensure 'Allow Print Spooler to accept client connections' is set to 'Disabled' @@ -5061,6 +5232,4 @@ spec: SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\System\DisableAutomaticRestartSignOn' AND data = 1); purpose: Informational tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.91.1 - contributors: rachelelysia ---- - + contributors: rachelelysia \ No newline at end of file