From 3ee113911c6d50126cd2bf4b6da5d31f6bd95fc2 Mon Sep 17 00:00:00 2001 From: RachelElysia <71795832+RachelElysia@users.noreply.github.com> Date: Fri, 10 Mar 2023 14:29:26 -0500 Subject: [PATCH] CIS - WIN10 - 18.6.x and 18.7.x policies (#10344) --- ee/cis/win-10/cis-policy-queries.yml | 83 +++++++++++++++++-- .../test/instructions/CIS_18.6-18.7.txt | 3 + 2 files changed, 81 insertions(+), 5 deletions(-) create mode 100644 ee/cis/win-10/test/instructions/CIS_18.6-18.7.txt diff --git a/ee/cis/win-10/cis-policy-queries.yml b/ee/cis/win-10/cis-policy-queries.yml index 91092aab4..80b2982f3 100644 --- a/ee/cis/win-10/cis-policy-queries.yml +++ b/ee/cis/win-10/cis-policy-queries.yml @@ -1744,7 +1744,7 @@ spec: SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Cryptography\\ForceKeyProtection' AND CAST(data AS INTEGER) >= 1); purpose: Informational tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.3.14.1 - contributors: marcosd4h + contributors: marcosd4h --- apiVersion: v1 kind: policy @@ -1769,7 +1769,7 @@ spec: SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\kernel\\obcaseinsensitive' AND data != 0); purpose: Informational tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.3.15.1 - contributors: marcosd4h + contributors: marcosd4h --- apiVersion: v1 kind: policy @@ -1791,7 +1791,7 @@ spec: SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\ProtectionMode' AND data != 0); purpose: Informational tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.3.15.2 - contributors: marcosd4h + contributors: marcosd4h --- apiVersion: v1 kind: policy @@ -2060,7 +2060,7 @@ spec: To establish the recommended configuration via GP, set the following UI path to 16,384 KB or greater: 'Computer Configuration\Policies\Windows Settings\Security Settings\Windows Defender Firewall with Advanced Security\Windows Defender Firewall with Advanced Security - Local Group Policy Object\Windows Defender Firewall Properties\Domain Profile\Logging Customize\Size limit (KB)' query: | - SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\\Microsoft\WindowsFirewall\DomainProfile\Logging\LogFileSize' and CAST(data as integer) >= 16384 ); + SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\\Microsoft\WindowsFirewall\DomainProfile\Logging\LogFileSize' and CAST(data as integer) >= 16384 ); purpose: Informational tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_9.1.6 contributors: DefensiveDepth @@ -2098,7 +2098,7 @@ spec: To establish the recommended configuration via GP, set the following UI path to Yes. 'Computer Configuration\Policies\Windows Settings\Security Settings\Windows Defender Firewall with Advanced Security\Windows Defender Firewall with Advanced Security - Local Group Policy Object\Windows Defender Firewall Properties\Domain Profile\Logging Customize\Log successful connections' query: | - SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging\LogSuccessfulConnections' and data = 1 ); + SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging\LogSuccessfulConnections' and data = 1 ); purpose: Informational tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_9.1.8 contributors: DefensiveDepth @@ -2521,3 +2521,76 @@ spec: tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.1.3 contributors: rachelelysia --- +apiVersion: v1 +kind: policy +spec: + name: > + CIS - Ensure 'Allow Print Spooler to accept client connections' is set to 'Disabled' + platforms: win10 + platform: windows + description: | + This policy setting controls whether the Print Spooler service will accept client connections. + resolution: | + To establish the recommended configuration via GP, set the following UI path to Disabled: + 'Computer Configuration\Policies\Administrative Templates\Printers\Allow Print Spooler to accept client connections' + query: | + SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Printers\RegisterSpoolerRemoteRpcEndPoint' AND data = 2); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.6.1 + contributors: rachelelysia +--- +apiVersion: v1 +kind: policy +spec: + name: > + CIS - Ensure 'Point and Print Restrictions: When installing drivers for a new connection' is set to 'Enabled: Show warning and elevation prompt' + platforms: win10 + platform: windows + description: | + This policy setting controls whether computers will show a warning and a security elevation prompt when users create a new printer connection using Point and Print. + resolution: | + To establish the recommended configuration via GP, set the following UI path to 'Enabled: Show warning and elevation prompt': + 'Computer Configuration\Policies\Administrative Templates\Printers\Point and Print Restrictions: When installing drivers for a new connection' + query: | + SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Printers\PointAndPrint\\NoWarningNoElevationOnInstall' AND data = 0); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.6.2 + contributors: rachelelysia +--- +apiVersion: v1 +kind: policy +spec: + name: > + CIS - Ensure 'Point and Print Restrictions: When updating drivers for an existing connection' is set to 'Enabled: Show warning and elevation prompt' + platforms: win10 + platform: windows + description: | + This policy setting controls whether computers will show a warning and a security elevation prompt when users are updating drivers for an existing connection using Point and Print. + resolution: | + To establish the recommended configuration via GP, set the following UI path to 'Enabled: Show warning and elevation prompt': + 'Computer Configuration\Policies\Administrative Templates\Printers\Point and Print Restrictions: When updating drivers for an existing connection' + query: | + SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Printers\PointAndPrint\\UpdatePromptSettings' AND data = 0); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.6.3 + contributors: rachelelysia +--- +apiVersion: v1 +kind: policy +spec: + name: > + CIS - Ensure 'Turn off notifications network usage' is set to 'Enabled' + platforms: win10 + platform: windows + description: | + This policy setting blocks applications from using the network to send notifications to update tiles, tile badges, toast, or raw notifications. This policy setting turns off the connection between Windows and the Windows Push Notification Service (WNS). This policy setting also stops applications from being able to poll application services to update tiles. + resolution: | + To establish the recommended configuration via GP, set the following UI path to Enabled: + 'Computer Configuration\Policies\Administrative Templates\Start Menu and Taskbar\Turn off notifications network usage' + query: | + SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\PushNotifications\NoCloudApplicationNotification' AND data = 1); + purpose: Informational + tags: compliance, CIS, CIS_Level2, CIS_win10_enterprise_1.12.0, CIS_bullet_18.7.1.1 + contributors: rachelelysia +--- + diff --git a/ee/cis/win-10/test/instructions/CIS_18.6-18.7.txt b/ee/cis/win-10/test/instructions/CIS_18.6-18.7.txt new file mode 100644 index 000000000..6165aa454 --- /dev/null +++ b/ee/cis/win-10/test/instructions/CIS_18.6-18.7.txt @@ -0,0 +1,3 @@ +This page is intentionally left blank. + +Please see policy queries' description and resolution to properly set and remediate group policy. \ No newline at end of file