diff --git a/ee/cis/win-10/cis-NON-COMPLETED-policy-queries.yml b/ee/cis/win-10/cis-NON-COMPLETED-policy-queries.yml index b048f1851..d9215c383 100644 --- a/ee/cis/win-10/cis-NON-COMPLETED-policy-queries.yml +++ b/ee/cis/win-10/cis-NON-COMPLETED-policy-queries.yml @@ -340,6 +340,44 @@ spec: --- apiVersion: v1 kind: policy +spec: + name: > + CIS - Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled' + platforms: win10 + platform: windows + description: | + Although this "legacy" setting traditionally applied to the use of Internet Connection Sharing (ICS) in Windows 2000, Windows XP & Server 2003, this setting now freshly applies to the Mobile Hotspot feature in Windows 10 & Server 2016. + The recommended state for this setting is: Enabled. + resolution: | + To establish the recommended configuration via GP, set the following UI path to On (recommended): + 'Computer Configuration\Policies\Administrative Templates\Network\Network Connections\Prohibit use of Internet Connection Sharing on your DNS domain network' + query: | + SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections\NC_ShowSharedAccessUI' AND data = 0); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.5.11.3 + contributors: DefensiveDepth +--- +apiVersion: v1 +kind: policy +spec: + name: > + CIS - Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled' + platforms: win10 + platform: windows + description: | + This policy setting determines whether to require domain users to elevate when setting a network's location. + The recommended state for this setting is: Enabled. + resolution: | + To establish the recommended configuration via GP, set the following UI path to On (recommended): + 'Computer Configuration\Policies\Administrative Templates\Network\Network Connections\Require domain users to elevate when setting a network's location' + query: | + SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections\NC_StdDomainUserSetLocation' AND data = 1); + purpose: Informational + tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.5.11.4 + contributors: DefensiveDepth +--- +apiVersion: v1 +kind: policy spec: name: > CIS - Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE' diff --git a/ee/cis/win-10/cis-policy-queries.yml b/ee/cis/win-10/cis-policy-queries.yml index ae22e59bc..9f7b66c05 100644 --- a/ee/cis/win-10/cis-policy-queries.yml +++ b/ee/cis/win-10/cis-policy-queries.yml @@ -3950,7 +3950,7 @@ spec: This policy setting changes the operational behavior of the Responder network protocol driver. The Responder allows a computer to participate in Link Layer Topology Discovery requests so that it can be discovered and located on the network. It also allows a computer to participate in Quality-of-Service activities such as bandwidth estimation and network health analysis. The recommended state for this setting is: Disabled. resolution: | - To establish the recommended configuration via GP, set the following UI path to On (recommended): + To establish the recommended configuration via GP, set the following UI path to Disabled (recommended): 'Computer Configuration\Policies\Administrative Templates\Network\Link-Layer Topology Discovery\Turn on Responder (RSPNDR) driver' query: | SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD\EnableRspndr' AND data = 0); @@ -3998,44 +3998,6 @@ spec: --- apiVersion: v1 kind: policy -spec: - name: > - CIS - Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled' - platforms: win10 - platform: windows - description: | - Although this "legacy" setting traditionally applied to the use of Internet Connection Sharing (ICS) in Windows 2000, Windows XP & Server 2003, this setting now freshly applies to the Mobile Hotspot feature in Windows 10 & Server 2016. - The recommended state for this setting is: Enabled. - resolution: | - To establish the recommended configuration via GP, set the following UI path to On (recommended): - 'Computer Configuration\Policies\Administrative Templates\Network\Network Connections\Prohibit use of Internet Connection Sharing on your DNS domain network' - query: | - SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections\NC_ShowSharedAccessUI' AND data = 0); - purpose: Informational - tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.5.11.3 - contributors: DefensiveDepth ---- -apiVersion: v1 -kind: policy -spec: - name: > - CIS - Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled' - platforms: win10 - platform: windows - description: | - This policy setting determines whether to require domain users to elevate when setting a network's location. - The recommended state for this setting is: Enabled. - resolution: | - To establish the recommended configuration via GP, set the following UI path to On (recommended): - 'Computer Configuration\Policies\Administrative Templates\Network\Network Connections\Require domain users to elevate when setting a network's location' - query: | - SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections\NC_StdDomainUserSetLocation' AND data = 1); - purpose: Informational - tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.5.11.4 - contributors: DefensiveDepth ---- -apiVersion: v1 -kind: policy spec: name: > CIS - Ensure 'Allow Print Spooler to accept client connections' is set to 'Disabled'