mirror of
https://github.com/fleetdm/fleet
synced 2026-05-23 00:49:03 +00:00
CIS - WIN10 - 19.7.4 to 19.7.8 (#10715)
## Issue Cerra #10369 ## Description - Lots of trial and error to get the wild card to work (only works with single \ in the path) - 6 of 7 tested and working - Final policy is intended for Windows 11
This commit is contained in:
RachelElysia
GitHub
parent
bb077f8b9b
commit
ee116d14ca
2 changed files with 135 additions and 0 deletions
|
|
@ -497,3 +497,24 @@ spec:
|
|||
purpose: Informational
|
||||
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.17.7, CIS_not_completed
|
||||
contributors: rachelelysia
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: policy
|
||||
spec:
|
||||
name: >
|
||||
CIS - Ensure 'Turn off Spotlight collection on Desktop' is set to 'Enabled'
|
||||
platforms: win11
|
||||
platform: windows
|
||||
description: |
|
||||
This policy is meant for Windows 11.
|
||||
This policy setting removes the Spotlight collection setting in Personalization, rendering the user unable to select and subsequently download daily images from Microsoft to the system desktop.
|
||||
resolution: |
|
||||
To establish the recommended configuration via GP, set the following UI path to Enabled:
|
||||
'User Configuration\Policies\Administrative Templates\Windows Components\Cloud Content\Turn off Spotlight collection on Desktop'
|
||||
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CloudContent.admx/adml that is included with the Microsoft Windows 10 Release 21H2 Administrative Templates (or newer).
|
||||
query: |
|
||||
TODO
|
||||
# Untested: SELECT 1 FROM registry WHERE (path LIKE 'HKEY_USERS\%\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\%\Software\Policies\Microsoft\Windows\CloudContent\DisableSpotlightCollectionOnDesktop' AND data = 1);
|
||||
purpose: Informational
|
||||
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_19.7.8.5, CIS_not_completed
|
||||
contributors: rachelelysia
|
||||
|
|
|
|||
|
|
@ -5485,3 +5485,117 @@ spec:
|
|||
purpose: Informational
|
||||
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.91.1
|
||||
contributors: rachelelysia
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: policy
|
||||
spec:
|
||||
name: >
|
||||
CIS - Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'
|
||||
platforms: win10
|
||||
platform: windows
|
||||
description: |
|
||||
This policy setting allows you to manage whether Windows marks file attachments with information about their zone of origin (such as restricted, Internet, intranet, local). This requires NTFS in order to function correctly, and will fail without notice on FAT32. By not preserving the zone information, Windows cannot make proper risk assessments.
|
||||
resolution: |
|
||||
To establish the recommended configuration via GP, set the following UI path to Disabled:
|
||||
'User Configuration\Policies\Administrative Templates\Windows Components\Attachment Manager\Do not preserve zone information in file attachments'
|
||||
Note: This Group Policy path is provided by the Group Policy template AttachmentManager.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates.
|
||||
query: |
|
||||
SELECT 1 FROM registry WHERE (path LIKE 'HKEY_USERS\%\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\%\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\SaveZoneInformation' and data = 2);
|
||||
purpose: Informational
|
||||
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_19.7.4.1
|
||||
contributors: rachelelysia
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: policy
|
||||
spec:
|
||||
name: >
|
||||
CIS - Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'
|
||||
platforms: win10
|
||||
platform: windows
|
||||
description: |
|
||||
This policy setting manages the behavior for notifying registered antivirus programs. If multiple programs are registered, they will all be notified.
|
||||
resolution: |
|
||||
To establish the recommended configuration via GP, set the following UI path to Enabled:
|
||||
'User Configuration\Policies\Administrative Templates\Windows Components\Attachment Manager\Notify antivirus programs when opening attachments'
|
||||
Note: This Group Policy path is provided by the Group Policy template AttachmentManager.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates.
|
||||
query: |
|
||||
SELECT 1 FROM registry WHERE (path LIKE 'HKEY_USERS\%\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\%\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\ScanWithAntiVirus' AND data = 3);
|
||||
purpose: Informational
|
||||
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_19.7.4.2
|
||||
contributors: rachelelysia
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: policy
|
||||
spec:
|
||||
name: >
|
||||
CIS - Ensure 'Configure Windows spotlight on lock screen' is set to Disabled'
|
||||
platforms: win10
|
||||
platform: windows
|
||||
description: |
|
||||
This policy setting lets you configure Windows Spotlight on the lock screen.
|
||||
resolution: |
|
||||
To establish the recommended configuration via GP, set the following UI path to Disabled:
|
||||
'User Configuration\Policies\Administrative Templates\Windows Components\Cloud Content\Configure Windows spotlight on lock screen'
|
||||
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CloudContent.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer).
|
||||
query: |
|
||||
SELECT 1 FROM registry WHERE (path LIKE 'HKEY_USERS\%\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\%\Software\Policies\Microsoft\Windows\CloudContent\ConfigureWindowsSpotlight' AND data = 2);
|
||||
purpose: Informational
|
||||
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_19.7.8.1
|
||||
contributors: rachelelysia
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: policy
|
||||
spec:
|
||||
name: >
|
||||
CIS - Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'
|
||||
platforms: win10
|
||||
platform: windows
|
||||
description: |
|
||||
This policy setting determines whether Windows will suggest apps and content from third-party software publishers.
|
||||
resolution: |
|
||||
To establish the recommended configuration via GP, set the following UI path to Enabled:
|
||||
'User Configuration\Policies\Administrative Templates\Windows Components\Cloud Content\Do not suggest third-party content in Windows spotlight'
|
||||
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CloudContent.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer).
|
||||
query: |
|
||||
SELECT 1 FROM registry WHERE (path LIKE 'HKEY_USERS\%\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\%\Software\Policies\Microsoft\Windows\CloudContent\DisableThirdPartySuggestions' AND data = 1);
|
||||
purpose: Informational
|
||||
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_19.7.8.2
|
||||
contributors: rachelelysia
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: policy
|
||||
spec:
|
||||
name: >
|
||||
CIS - Ensure 'Do not use diagnostic data for tailored experiences' is set to 'Enabled'
|
||||
platforms: win10
|
||||
platform: windows
|
||||
description: |
|
||||
This setting determines if Windows can use diagnostic data to provide tailored experiences to the user.
|
||||
resolution: |
|
||||
To establish the recommended configuration via GP, set the following UI path to Enabled:
|
||||
'User Configuration\Policies\Administrative Templates\Windows Components\Cloud Content\Do not use diagnostic data for tailored experiences'
|
||||
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CloudContent.admx/adml that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer).
|
||||
query: |
|
||||
SELECT 1 FROM registry WHERE (path LIKE 'HKEY_USERS\%\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\%\Software\Policies\Microsoft\Windows\CloudContent\DisableTailoredExperiencesWithDiagnosticData' AND data = 1);
|
||||
purpose: Informational
|
||||
tags: compliance, CIS, CIS_Level2, CIS_win10_enterprise_1.12.0, CIS_bullet_19.7.8.3
|
||||
contributors: rachelelysia
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: policy
|
||||
spec:
|
||||
name: >
|
||||
CIS - Ensure 'Turn off all Windows spotlight features' is set to 'Enabled'
|
||||
platforms: win10
|
||||
platform: windows
|
||||
description: |
|
||||
This policy setting determines whether the all Windows Spotlight features are turned on/off (together).
|
||||
resolution: |
|
||||
To establish the recommended configuration via GP, set the following UI path to Enabled:
|
||||
'User Configuration\Policies\Administrative Templates\Windows Components\Cloud Content\Turn off all Windows spotlight features'
|
||||
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CloudContent.admx/adml that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer).
|
||||
query: |
|
||||
SELECT 1 FROM registry WHERE (path LIKE 'HKEY_USERS\%\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\%\Software\Policies\Microsoft\Windows\CloudContent\DisableWindowsSpotlightFeatures' AND data = 1);
|
||||
purpose: Informational
|
||||
tags: compliance, CIS, CIS_Level2, CIS_win10_enterprise_1.12.0, CIS_bullet_19.7.8.4
|
||||
contributors: rachelelysia
|
||||
|
|
|
|||
Loading…
Reference in a new issue