From f97b13d8c0f9f7b20a3334ff4db0c402ad6538a8 Mon Sep 17 00:00:00 2001 From: RachelElysia <71795832+RachelElysia@users.noreply.github.com> Date: Mon, 13 Mar 2023 09:25:04 -0400 Subject: [PATCH] CIS - WIN10 - 18.8.1. - 18.8.16 (#10407) --- ee/cis/win-10/cis-policy-queries.yml | 324 +++++++++++++++++++++++++++ 1 file changed, 324 insertions(+) diff --git a/ee/cis/win-10/cis-policy-queries.yml b/ee/cis/win-10/cis-policy-queries.yml index 80b2982f38..705cadc393 100644 --- a/ee/cis/win-10/cis-policy-queries.yml +++ b/ee/cis/win-10/cis-policy-queries.yml @@ -2593,4 +2593,328 @@ spec: tags: compliance, CIS, CIS_Level2, CIS_win10_enterprise_1.12.0, CIS_bullet_18.7.1.1 contributors: rachelelysia --- +apiVersion: v1 +kind: policy +spec: + name: > + CIS - Ensure 'Include command line in process creation events' is set to 'Enabled' + platforms: win10 + platform: windows + description: | + This policy setting controls whether the process creation command line text is logged in security audit events when a new process has been created. + resolution: | + To establish the recommended configuration via GP, set the following UI path to Enabled: + 'Computer Configuration\Policies\Administrative Templates\System\Audit Process Creation\Include command line in process creation events' + query: | + SELECT 1 FROM REGISTRY WHERE (PATH = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Audit\ProcessCreationIncludeCmdLine_Enabled' AND data = 1); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.8.3.1 + contributors: rachelelysia +--- +apiVersion: v1 +kind: policy +spec: + name: > + CIS - Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients' + platforms: win10 + platform: windows + description: | + Some versions of the CredSSP protocol that is used by some applications (such as Remote Desktop Connection) are vulnerable to an encryption oracle attack against the client. This policy controls compatibility with vulnerable clients and servers and allows you to set the level of protection desired for the encryption oracle vulnerability. + resolution: | + To establish the recommended configuration via GP, set the following UI path to 'Enabled: Force Updated Clients': + 'Computer Configuration\Policies\Administrative Templates\System\Credentials Delegation\Encryption Oracle Remediation' + query: | + SELECT 1 FROM REGISTRY WHERE (PATH = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\CredSSP\\Parameters\AllowEncryptionOracle' AND data = 0); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.8.4.1 + contributors: rachelelysia +--- +apiVersion: v1 +kind: policy +spec: + name: > + CIS - Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled' + platforms: win10 + platform: windows + description: | + Remote host allows delegation of non-exportable credentials. When using credential delegation, devices provide an exportable version of credentials to the remote host. This exposes users to the risk of credential theft from attackers on the remote host. The Restricted Admin Mode and Windows Defender Remote Credential Guard features are two options to help protect against this risk. + resolution: | + To establish the recommended configuration via GP, set the following UI path to Enabled: + 'Computer Configuration\Policies\Administrative Templates\System\Credentials Delegation\Remote host allows delegation of non-exportable credentials' + query: | + SELECT 1 FROM REGISTRY WHERE (PATH = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CredentialsDelegation\AllowProtectedCreds' AND data = 1); + purpose: Informational + tags: compliance, CIS, CIS_NG, CIS_win10_enterprise_1.12.0, CIS_bullet_18.8.4.2 + contributors: rachelelysia +--- +apiVersion: v1 +kind: policy +spec: + name: > + CIS - Ensure 'Turn On Virtualization Based Security' is set to 'Enabled' + platforms: win10 + platform: windows + description: | + This policy setting specifies whether Virtualization Based Security is enabled. Virtualization Based Security uses the Windows Hypervisor to provide support for security services. + resolution: | + To establish the recommended configuration via GP, set the following UI path to Enabled: + 'Computer Configuration\Policies\Administrative Templates\System\Device Guard\Turn On Virtualization Based Security' + query: | + SELECT 1 FROM REGISTRY WHERE (PATH = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard\EnableVirtualizationBasedSecurity' AND data = 1); + purpose: Informational + tags: compliance, CIS, CIS_NG, CIS_win10_enterprise_1.12.0, CIS_bullet_18.8.5.1 + contributors: rachelelysia +--- +apiVersion: v1 +kind: policy +spec: + name: > + CIS - Ensure 'Turn On Virtualization Based Security: Select Platform Security Level' is set to 'Secure Boot and DMA Protection' + platforms: win10 + platform: windows + description: | + This policy setting specifies whether Virtualization Based Security is enabled. Virtualization Based Security uses the Windows Hypervisor to provide support for security services. + resolution: | + To establish the recommended configuration via GP, set the following UI path to 'Secure Boot and DMA Protection': + 'Computer Configuration\Policies\Administrative Templates\System\Device Guard\Turn On Virtualization Based Security: Select Platform Security Level' + query: | + SELECT 1 FROM REGISTRY WHERE (PATH = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard\RequirePlatformSecurityFeatures' AND data = 3); + purpose: Informational + tags: compliance, CIS, CIS_NG, CIS_win10_enterprise_1.12.0, CIS_bullet_18.8.5.2 + contributors: rachelelysia +--- +apiVersion: v1 +kind: policy +spec: + name: > + CIS - Ensure 'Turn On Virtualization Based Security: Virtualization Based Protection of Code Integrity' is set to 'Enabled with UEFI lock' + platforms: win10 + platform: windows + description: | + This setting enables virtualization based protection of Kernel Mode Code Integrity. When this is enabled, kernel mode memory protections are enforced and the Code Integrity validation path is protected by the Virtualization Based Security feature. + resolution: | + To establish the recommended configuration via GP, set the following UI path to 'Enabled with UEFI lock': + 'Computer Configuration\Policies\Administrative Templates\System\Device Guard\Turn On Virtualization Based Security: Virtualization Based Protection of Code Integrity' + query: | + SELECT 1 FROM REGISTRY WHERE (PATH = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard\HypervisorEnforcedCodeIntegrity' AND data = 1); + purpose: Informational + tags: compliance, CIS, CIS_NG, CIS_win10_enterprise_1.12.0, CIS_bullet_18.8.5.3 + contributors: rachelelysia +--- +apiVersion: v1 +kind: policy +spec: + name: > + CIS - Ensure 'Turn On Virtualization Based Security: Require UEFI Memory Attributes Table' is set to 'True (checked)' + platforms: win10 + platform: windows + description: | + This option will only enable Virtualization Based Protection of Code Integrity on devices with UEFI firmware support for the Memory Attributes Table. Devices without the UEFI Memory Attributes Table may have firmware that is incompatible with Virtualization Based Protection of Code Integrity which in some cases can lead to crashes or data loss or incompatibility with certain plug-in cards. If not setting this option the targeted devices should be tested to ensure compatibility. + resolution: | + To establish the recommended configuration via GP, set the following UI path to TRUE: + 'Computer Configuration\Policies\Administrative Templates\System\Device Guard\Turn On Virtualization Based Security: Require UEFI Memory Attributes Table' + query: | + SELECT 1 FROM REGISTRY WHERE (PATH = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard\HVCIMATRequired' AND data = 1); + purpose: Informational + tags: compliance, CIS, CIS_NG, CIS_win10_enterprise_1.12.0, CIS_bullet_18.8.5.4 + contributors: rachelelysia +--- +apiVersion: v1 +kind: policy +spec: + name: > + CIS - Ensure 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to 'Enabled with UEFI lock' + platforms: win10 + platform: windows + description: | + This setting lets users turn on Credential Guard with virtualization-based security to help protect credentials. The "Enabled with UEFI lock" option ensures that Credential Guard cannot be disabled remotely. In order to disable the feature, you must set the Group Policy to "Disabled" as well as remove the security functionality from each computer, with a physically present user, in order to clear configuration persisted in UEFI. + resolution: | + To establish the recommended configuration via GP, set the following UI path to 'Enabled with UEFI lock': + 'Computer Configuration\Policies\Administrative Templates\System\Device Guard\Turn On Virtualization Based Security: Credential Guard Configuration' + query: | + SELECT 1 FROM REGISTRY WHERE (PATH = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard\LsaCfgFlags' AND data = 1); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.8.5.5 + contributors: rachelelysia +--- +apiVersion: v1 +kind: policy +spec: + name: > + CIS - Ensure 'Turn On Virtualization Based Security: Secure Launch Configuration' is set to 'Enabled' + platforms: win10 + platform: windows + description: | + Secure Launch protects the Virtualization Based Security environment from exploited vulnerabilities in device firmware. + resolution: | + To establish the recommended configuration via GP, set the following UI path to Enabled: + 'Computer Configuration\Policies\Administrative Templates\System\Device Guard\Turn On Virtualization Based Security: Secure Launch Configuration' + query: | + SELECT 1 FROM REGISTRY WHERE (PATH = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard\ConfigureSystemGuardLaunch' AND data = 1); + purpose: Informational + tags: compliance, CIS, CIS_NG, CIS_win10_enterprise_1.12.0, CIS_bullet_18.8.5.6 + contributors: rachelelysia +--- +apiVersion: v1 +kind: policy +spec: + name: > + CIS - Ensure 'Prevent installation of devices that match any of these device IDs' is set to 'Enabled' + platforms: win10 + platform: windows + description: | + This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. + If you enable this policy setting, Windows is prevented from installing a device whose hardware ID or compatible ID appears in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. + If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings. + resolution: | + To establish the recommended configuration via GP, set the following UI path to Enabled: + 'Computer Configuration\Policies\Administrative Templates\System\Device Installation\Device Installation Restrictions\Prevent installation of devices that match any of these device IDs' + query: | + SELECT 1 FROM REGISTRY WHERE (PATH = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceInstall\\Restrictions\DenyDeviceIDs' AND data = 1); + purpose: Informational + tags: compliance, CIS, CIS_BL, CIS_win10_enterprise_1.12.0, CIS_bullet_18.8.7.1.1 + contributors: rachelelysia +--- +apiVersion: v1 +kind: policy +spec: + name: > + CIS - Ensure 'Prevent installation of devices that match any of these device IDs: Prevent installation of devices that match any of these device IDs' is set to 'PCI\CC_0C0A' + platforms: win10 + platform: windows + description: | + This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. + If you enable this policy setting, Windows is prevented from installing a device whose hardware ID or compatible ID appears in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. + If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings. + resolution: | + To establish the recommended configuration via GP, set the following UI path to 'Enabled', and add 'PCI\CC_0C0A' to the Device IDs list: + 'Computer Configuration\Policies\Administrative Templates\System\Device Installation\Device Installation Restrictions\Prevent installation of devices that match any of these device IDs' + query: | + SELECT 1 FROM REGISTRY WHERE (PATH = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceInstall\\Restrictions\\DenyDeviceIDs\1' AND data = 'PCI\CC_0C0A'); + purpose: Informational + tags: compliance, CIS, CIS_BL, CIS_win10_enterprise_1.12.0, CIS_bullet_18.8.7.1.2 + contributors: rachelelysia +--- +apiVersion: v1 +kind: policy +spec: + name: > + CIS - Ensure 'Prevent installation of devices that match any of these device IDs: Also apply to matching devices that are already installed.' is set to 'True' (checked) + platforms: win10 + platform: windows + description: | + This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. + If you enable this policy setting, Windows is prevented from installing a device whose hardware ID or compatible ID appears in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. + If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings. + resolution: | + To establish the recommended configuration via GP, set the following UI path to 'Enabled', and check the 'Also apply to matching devices that are already installed'. checkbox: + 'Computer Configuration\Policies\Administrative Templates\System\Device Installation\Device Installation Restrictions\Prevent installation of devices that match any of these device IDs' + query: | + SELECT 1 FROM REGISTRY WHERE (PATH = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceInstall\\Restrictions\DenyDeviceIDsRetroactive' AND data = 1); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.8.7.1.3 + contributors: rachelelysia +--- +apiVersion: v1 +kind: policy +spec: + name: > + CIS - Ensure 'Prevent installation of devices using drivers that match these device setup classes' is set to 'Enabled' + platforms: win10 + platform: windows + description: | + This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. + If you enable this policy setting, Windows is prevented from installing or updating device drivers whose device setup class GUIDs appear in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. + If you disable or do not configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings. + resolution: | + To establish the recommended configuration via GP, set the following UI path to Enabled: + 'Computer Configuration\Policies\Administrative Templates\System\Device Installation\Device Installation Restrictions\Prevent installation of devices using drivers that match these device setup classes' + query: | + SELECT 1 FROM REGISTRY WHERE (PATH = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceInstall\\Restrictions\DenyDeviceClasses' AND data = 1); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.8.7.1.4 + contributors: rachelelysia +--- +apiVersion: v1 +kind: policy +spec: + name: > + CIS - Ensure 'Prevent installation of devices using drivers that match these device setup classes: Prevent installation of devices using drivers for these device setup' is set to 'IEEE 1394 device setup classes' + platforms: win10 + platform: windows + description: | + This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. + If you enable this policy setting, Windows is prevented from installing or updating device drivers whose device setup class GUIDs appear in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. + If you disable or do not configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings. + resolution: | + To establish the recommended configuration via GP, set the following UI path to Enabled, and add {d48179be-ec20-11d1-b6b8-00c04fa372a7}, {7ebefbc0-3200-11d2-b4c2-00a0C9697d07}, {c06ff265-ae09-48f0-812c-16753d7cba83}, and {6bdd1fc1-810f-11d0-bec7-08002be2092f} to the device setup classes list: + 'Computer Configuration\Policies\Administrative Templates\System\Device Installation\Device Installation Restrictions\Prevent installation of devices using drivers that match these device setup classes' + query: | + SELECT data FROM registry WHERE ((key = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceInstall\\Restrictions\\DenyDeviceClasses\' AND data IN ('{d48179be-ec20-11d1-b6b8-00c04fa372a7}', '{7ebefbc0-3200-11d2-b4c2-00a0C9697d07}', '{c06ff265-ae09-48f0-812c-16753d7cba83}', '{6bdd1fc1-810f-11d0-bec7-08002be2092f}')) AND ((SELECT COUNT(*) FROM registry WHERE (key = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceInstall\\Restrictions\\DenyDeviceClasses\' AND data IN ('{d48179be-ec20-11d1-b6b8-00c04fa372a7}', '{7ebefbc0-3200-11d2-b4c2-00a0C9697d07}', '{c06ff265-ae09-48f0-812c-16753d7cba83}', '{6bdd1fc1-810f-11d0-bec7-08002be2092f}'))))=4); + purpose: Informational + tags: compliance, CIS, CIS_BL, CIS_win10_enterprise_1.12.0, CIS_bullet_18.8.7.1.5 + contributors: rachelelysia +--- +apiVersion: v1 +kind: policy +spec: + name: > + CIS - Ensure 'Prevent installation of devices using drivers that match these device setup classes: Also apply to matching devices that are already installed.' is set to 'True' (checked) + platforms: win10 + platform: windows + description: | + This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. + If you enable this policy setting, Windows is prevented from installing or updating device drivers whose device setup class GUIDs appear in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. + If you disable or do not configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings. + resolution: | + To establish the recommended configuration via GP, set the following UI path to 'Enabled', and check the 'Also apply to matching devices that are already installed.' checkbox: + 'Computer Configuration\Policies\Administrative Templates\System\Device Installation\Device Installation Restrictions\Prevent installation of devices using drivers that match these device setup classes' + query: | + SELECT 1 FROM REGISTRY WHERE (PATH = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceInstall\\Restrictions\DenyDeviceClassesRetroactive' AND data = 1); + purpose: Informational + tags: compliance, CIS, CIS_BL, CIS_win10_enterprise_1.12.0, CIS_bullet_18.8.7.1.6 + contributors: rachelelysia +--- +apiVersion: v1 +kind: policy +spec: + name: > + CIS - Ensure 'Prevent device metadata retrieval from the Internet' is set to 'Enabled' + platforms: win10 + platform: windows + description: | + This policy setting allows you to prevent Windows from retrieving device metadata from the Internet. + resolution: | + To establish the recommended configuration via GP, set the following UI path to Enabled: + 'Computer Configuration\Policies\Administrative Templates\System\Device Installation\Prevent device metadata retrieval from the Internet' + query: | + SELECT 1 FROM REGISTRY WHERE (PATH = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Device Metadata\PreventDeviceMetadataFromNetwork' AND data = 1); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.8.7.2 + contributors: rachelelysia +--- +apiVersion: v1 +kind: policy +spec: + name: > + CIS - Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical' (Automated) + platforms: win10 + platform: windows + description: | + This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. The Early Launch Antimalware boot-start driver can return the following classifications for each boot-start driver: + Good: The driver has been signed and has not been tampered with. + Bad: The driver has been identified as malware. It is recommended that you do not allow known bad drivers to be initialized. + Bad, but required for boot: The driver has been identified as malware, but the computer cannot successfully boot without loading this driver. + Unknown: This driver has not been attested to by your malware detection application and has not been classified by the Early Launch Antimalware boot-start driver. + If you enable this policy setting you will be able to choose which boot-start drivers to initialize the next time the computer is started. + If your malware detection application does not include an Early Launch Antimalware boot- start driver or if your Early Launch Antimalware boot-start driver has been disabled, this setting has no effect and all boot-start drivers are initialized. + resolution: | + To establish the recommended configuration via GP, set the following UI path to Enabled: 'Good, unknown and bad but critical': + 'Computer Configuration\Policies\Administrative Templates\System\Early Launch Antimalware\Boot-Start Driver Initialization Policy' + query: | + SELECT 1 FROM REGISTRY WHERE (PATH = 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Policies\\EarlyLaunch\DriverLoadPolicy' AND data = 3); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.8.14.1 + contributors: rachelelysia +---