mirror of
https://github.com/empayre/fleet.git
synced 2024-11-06 17:05:18 +00:00
482 lines
28 KiB
YAML
482 lines
28 KiB
YAML
---
|
|
apiVersion: v1
|
|
kind: policy
|
|
spec:
|
|
name: CIS - Ensure 'Account lockout duration' is set to '15 or more minute(s)'
|
|
platforms: win10
|
|
platform: windows
|
|
description: |
|
|
This policy setting determines the length of time that must pass before a locked account is unlocked and a user can try to log on again. The setting does this by specifying the number of minutes a locked out account will remain unavailable. If the value for this policy setting is configured to 0, locked out accounts will remain locked out until an administrator manually unlocks them.
|
|
Although it might seem like a good idea to configure the value for this policy setting to a high value, such a configuration will likely increase the number of calls that the help desk receives to unlock accounts locked by mistake. Users should be aware of the length of time a lock remains in place, so that they realize they only need to call the help desk if they have an extremely urgent need to regain access to their computer.
|
|
The recommended state for this setting is: 15 or more minute(s).
|
|
Note: Password Policy settings (section 1.1) and Account Lockout Policy settings (section 1.2) must be applied via the Default Domain Policy GPO in order to be globally in effect on domain user accounts as their default behavior. If these settings are configured in another GPO, they will only affect local user accounts on the computers that receive the GPO. However, custom exceptions to the default password policy and account lockout policy rules for specific domain users and/or groups can be defined using Password Settings Objects (PSOs), which are completely separate from Group Policy and most easily configured using Active Directory Administrative Center.
|
|
resolution: |
|
|
Automatic method:
|
|
Ask your system administrator to establish the recommended configuration via GP, set the following UI path to '15 or more minute(s)':
|
|
'Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Account Lockout Policy\Account lockout duration'
|
|
query: |
|
|
tbd
|
|
purpose: Informational
|
|
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_1.2.1, CIS_not_completed
|
|
contributors: sharon-fdm
|
|
---
|
|
apiVersion: v1
|
|
kind: policy
|
|
spec:
|
|
name: CIS - Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0'
|
|
platforms: win10
|
|
platform: windows
|
|
description: |
|
|
This policy setting determines the number of failed logon attempts before the account is locked. Setting this policy to 0 does not conform to the benchmark as doing so disables the account lockout threshold.
|
|
The recommended state for this setting is: 5 or fewer invalid logon attempt(s), but not 0.
|
|
Note: Password Policy settings (section 1.1) and Account Lockout Policy settings (section 1.2) must be applied via the Default Domain Policy GPO in order to be globally in effect on domain user accounts as their default behavior. If these settings are configured in another GPO, they will only affect local user accounts on the computers that receive the GPO. However, custom exceptions to the default password policy and account lockout policy rules for specific domain users and/or groups can be defined using Password Settings Objects (PSOs), which are completely separate from Group Policy and most easily configured using Active Directory Administrative Center.
|
|
resolution: |
|
|
Automatic method:
|
|
Ask your system administrator to establish the recommended configuration via GP, set the following UI path to '5 or fewer invalid login attempt(s), but not 0':
|
|
'Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Account Lockout Policy\Account lockout threshold'
|
|
query: |
|
|
tbd
|
|
purpose: Informational
|
|
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_1.2.2, CIS_not_completed
|
|
contributors: sharon-fdm
|
|
---
|
|
apiVersion: v1
|
|
kind: policy
|
|
spec:
|
|
name: CIS - Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'
|
|
platforms: win10
|
|
platform: windows
|
|
description: |
|
|
This policy setting determines the length of time before the Account lockout threshold resets to zero. The default value for this policy setting is Not Defined. If the Account lockout threshold is defined, this reset time must be less than or equal to the value for the Account lockout duration setting.
|
|
If you leave this policy setting at its default value or configure the value to an interval that is too long, your environment could be vulnerable to a DoS attack. An attacker could maliciously perform a number of failed logon attempts on all users in the organization, which will lock out their accounts. If no policy were determined to reset the account lockout, it would be a manual task for administrators. Conversely, if a reasonable time value is configured for this policy setting, users would be locked out for a set period until all of the accounts are unlocked automatically.
|
|
The recommended state for this setting is: 15 or more minute(s).
|
|
Note: Password Policy settings (section 1.1) and Account Lockout Policy settings (section 1.2) must be applied via the Default Domain Policy GPO in order to be globally in effect on domain user accounts as their default behavior. If these settings are configured in another GPO, they will only affect local user accounts on the computers that receive the GPO. However, custom exceptions to the default password policy and account lockout policy rules for specific domain users and/or groups can be defined using Password Settings Objects (PSOs), which are completely separate from Group Policy and most easily configured using Active Directory Administrative Center.
|
|
resolution: |
|
|
Automatic method:
|
|
Ask your system administrator to establish the recommended configuration via GP, set the following UI path to '15 or more minute(s)':
|
|
'Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Account Lockout Policy\Reset account lockout counter after'
|
|
query: |
|
|
tbd
|
|
purpose: Informational
|
|
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_1.2.3, CIS_not_completed
|
|
contributors: sharon-fdm
|
|
---
|
|
apiVersion: v1
|
|
kind: policy
|
|
spec:
|
|
name: CIS - Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'
|
|
platforms: win10
|
|
platform: windows
|
|
description: |
|
|
This policy setting allows a user to adjust the maximum amount of memory that is available to a process. The ability to adjust memory quotas is useful for system tuning, but it can be abused. In the wrong hands, it could be used to launch a denial of service (DoS) attack.
|
|
The recommended state for this setting is: Administrators, LOCAL SERVICE, NETWORK SERVICE.
|
|
resolution: |
|
|
Automatic method:
|
|
Ask your system administrator to establish the recommended configuration via GP, set the following UI path to a list of only 'Administrators', 'LOCAL SERVICE' and 'NETWORK SERVICE':
|
|
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Adjust memory quotas for a process'
|
|
query: |
|
|
Tbd
|
|
purpose: Informational
|
|
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.2.4, CIS_not_completed, english-support-only
|
|
contributors: sharon-fdm
|
|
---
|
|
apiVersion: v1
|
|
kind: policy
|
|
spec:
|
|
name: CIS - Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users'
|
|
platforms: win10
|
|
platform: windows
|
|
description: |
|
|
This policy setting determines which users or groups have the right to log on as a Remote Desktop Services client. If your organization uses Remote Assistance as part of its help desk strategy, create a group and assign it this user right through Group Policy. If the help desk in your organization does not use Remote Assistance, assign this user right only to the Administrators group or use the Restricted Groups feature to ensure that no user accounts are part of the Remote Desktop Users group.
|
|
Restrict this user right to the Administrators group, and possibly the Remote Desktop Users group, to prevent unwanted users from gaining access to computers on your network by means of the Remote Assistance feature.
|
|
The recommended state for this setting is: Administrators, Remote Desktop Users. Note: The above list is to be treated as a whitelist, which implies that the above
|
|
principals need not be present for assessment of this recommendation to pass.
|
|
Note #2: In all versions of Windows prior to Windows 7, Remote Desktop Services was known as Terminal Services, so you should substitute the older term if comparing against an older OS.
|
|
resolution: |
|
|
Automatic method:
|
|
Ask your system administrator to establish the recommended configuration via GP, set the following UI path to 'Administrators, Remote Desktop Users':
|
|
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow log on through Remote Desktop Services'
|
|
query: |
|
|
Tbd
|
|
purpose: Informational
|
|
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.2.6, CIS_not_completed, english-support-only
|
|
contributors: sharon-fdm
|
|
---
|
|
apiVersion: v1
|
|
kind: policy
|
|
spec:
|
|
name: CIS - Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE, Users'
|
|
platforms: win10
|
|
platform: windows
|
|
description: |
|
|
This setting determines which users can change the time zone of the computer. This ability holds no great danger for the computer and may be useful for mobile workers.
|
|
resolution: |
|
|
Automatic method:
|
|
Ask your system administrator to establish the recommended configuration via GP, set the following UI path to 'Administrators, LOCAL SERVICE, Users':
|
|
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Change the time zone'
|
|
query: |
|
|
tbd
|
|
purpose: Informational
|
|
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.2.9, CIS_not_completed, english-support-only
|
|
contributors: marcosd4h
|
|
---
|
|
apiVersion: v1
|
|
kind: policy
|
|
spec:
|
|
name: CIS - Ensure 'Deny log on as a batch job' includes 'Guest'
|
|
platforms: win10
|
|
platform: windows
|
|
description: |
|
|
This policy setting determines which accounts will not be able to log on to the computer as a
|
|
batch job. A batch job is not a batch (.bat) file, but rather a batch-queue facility. Accounts that use the Task Scheduler to schedule jobs need this user right.
|
|
resolution: |
|
|
Automatic method:
|
|
Ask your system administrator to establish the recommended configuration via GP, ensure that the following UI path includes 'Guests'
|
|
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny log on as a batch job'
|
|
query: |
|
|
TBD
|
|
purpose: Informational
|
|
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.2.17, CIS_not_completed, english-support-only
|
|
contributors: marcosd4h
|
|
---
|
|
apiVersion: v1
|
|
kind: policy
|
|
spec:
|
|
name: CIS - Ensure 'Deny log on as a service' includes 'Guest'
|
|
platforms: win10
|
|
platform: windows
|
|
description: |
|
|
This security setting determines which service accounts are prevented from registering a process
|
|
as a service. This user right supersedes the Log on as a service user right if an account is subject to both policies.
|
|
resolution: |
|
|
Automatic method:
|
|
Ask your system administrator to establish the recommended configuration via GP, ensure that the following UI path includes 'Guests'
|
|
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny log on as a service'
|
|
query: |
|
|
TBD
|
|
purpose: Informational
|
|
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.2.18, CIS_not_completed, english-support-only
|
|
contributors: marcosd4h
|
|
---
|
|
apiVersion: v1
|
|
kind: policy
|
|
spec:
|
|
name: CIS - Ensure 'Log on as a batch job' is set to 'Administrators'
|
|
platforms: win10
|
|
platform: windows
|
|
description: |
|
|
This policy setting allows accounts to log on using the task scheduler service. Because the task
|
|
scheduler is often used for administrative purposes, it may be needed in enterprise
|
|
environments. However, its use should be restricted in high security environments to prevent
|
|
misuse of system resources or to prevent attackers from using the right to launch malicious code
|
|
after gaining user level access to a computer.
|
|
resolution: |
|
|
Automatic method:
|
|
Ask your system administrator to establish the recommended configuration via GP, ensure that the following UI path is set to an empty list
|
|
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Log on as a batch job'
|
|
query: |
|
|
TBD
|
|
purpose: Informational
|
|
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.2.28, CIS_not_completed, english-support-only
|
|
contributors: marcosd4h
|
|
---
|
|
apiVersion: v1
|
|
kind: policy
|
|
spec:
|
|
name: CIS - Configure 'Log on as a service'
|
|
platforms: win10
|
|
platform: windows
|
|
description: |
|
|
This policy setting allows accounts to launch network services or to register a process as a
|
|
service running on the system. This user right should be restricted on any computer in a high
|
|
security environment, but because many applications may require this privilege, it should be
|
|
carefully evaluated and tested before configuring it in an enterprise environment. On Windows
|
|
Vista-based (and newer) computers, no users or groups have this privilege by default.
|
|
resolution: |
|
|
Automatic method:
|
|
Ask your system administrator to establish the recommended configuration via GP, ensure that the following UI path is set to an empty list
|
|
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Log on as a service'
|
|
query: |
|
|
TBD
|
|
purpose: Informational
|
|
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.2.29, CIS_not_completed, english-support-only
|
|
contributors: marcosd4h
|
|
---
|
|
apiVersion: v1
|
|
kind: policy
|
|
spec:
|
|
name: CIS - Ensure 'Perform volume maintenance tasks' is set to 'Administrators'
|
|
platforms: win10
|
|
platform: windows
|
|
description: |
|
|
This policy setting allows users to manage the system's volume or disk configuration, which could allow a user to delete a volume and cause data loss as well as a denial-ofservice condition.
|
|
resolution: |
|
|
Automatic method:
|
|
Ask your system administrator to establish the recommended configuration via GP, ensure that the following UI path is set to an empty list
|
|
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Perform volume maintenance tasks'
|
|
query: |
|
|
TBD
|
|
purpose: Informational
|
|
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.2.33, CIS_not_completed, english-support-only
|
|
contributors: marcosd4h
|
|
---
|
|
apiVersion: v1
|
|
kind: policy
|
|
spec:
|
|
name: CIS - Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost'
|
|
platforms: win10
|
|
platform: windows
|
|
description: |
|
|
This policy setting allows users to use tools to view the performance of different system
|
|
processes, which could be abused to allow attackers to determine a system's active processes and
|
|
provide insight into the potential attack surface of the computer.
|
|
resolution: |
|
|
Automatic method:
|
|
Ask your system administrator to establish the recommended configuration via GP, ensure that the following UI path is set to an empty list
|
|
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Profile system performance'
|
|
query: |
|
|
TBD
|
|
purpose: Informational
|
|
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.2.35, CIS_not_completed, english-support-only
|
|
contributors: marcosd4h
|
|
---
|
|
apiVersion: v1
|
|
kind: policy
|
|
spec:
|
|
name: CIS - Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'
|
|
platforms: win10
|
|
platform: windows
|
|
description: |
|
|
This policy setting allows one process or service to start another service or process with a
|
|
different security access token, which can be used to modify the security access token of that sub-process and result in the escalation of privileges.
|
|
resolution: |
|
|
Automatic method:
|
|
Ask your system administrator to establish the recommended configuration via GP, ensure that the following UI path is set to an empty list
|
|
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Replace a process level token'
|
|
query: |
|
|
TBD
|
|
purpose: Informational
|
|
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.2.36, CIS_not_completed, english-support-only
|
|
contributors: marcosd4h
|
|
---
|
|
apiVersion: v1
|
|
kind: policy
|
|
spec:
|
|
name: CIS - Ensure 'Shut down the system' is set to 'Administrators, Users'
|
|
platforms: win10
|
|
platform: windows
|
|
description: |
|
|
This policy setting determines which users who are logged on locally to the computers in your
|
|
environment can shut down the operating system with the Shut Down command. Misuse of this user right can result in a denial of service condition.
|
|
resolution: |
|
|
Automatic method:
|
|
Ask your system administrator to establish the recommended configuration via GP, ensure that the following UI path is set to an empty list
|
|
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Shut down the system'
|
|
query: |
|
|
TBD
|
|
purpose: Informational
|
|
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.2.38, CIS_not_completed, english-support-only
|
|
contributors: marcosd4h
|
|
---
|
|
apiVersion: v1
|
|
kind: policy
|
|
spec:
|
|
name: >
|
|
CIS - Ensure 'Network access : Allow anonymous SID/Name translation' is set to 'Disabled'
|
|
platforms: win10
|
|
platform: windows
|
|
description: |
|
|
This policy setting determines whether an anonymous user can request security identifier
|
|
(SID) attributes for another user, or use a SID to obtain its corresponding user name.
|
|
The recommended state for this setting is: Disabled.
|
|
resolution: |
|
|
To establish the recommended configuration via GP, set the following UI path to Disabled:
|
|
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Allow anonymous SID/Name translation'
|
|
query: |
|
|
TBD
|
|
purpose: Informational
|
|
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.3.10.1, CIS_not_completed
|
|
contributors: rachelelysia
|
|
---
|
|
apiVersion: v1
|
|
kind: policy
|
|
spec:
|
|
name: CIS - Ensure 'Network security Force logoff when logon hours expire' is set to 'Enabled'
|
|
platforms: win10
|
|
platform: windows
|
|
description: |
|
|
This policy setting determines whether to disconnect users who are connected to the local
|
|
computer outside their user account's valid logon hours. This setting affects the Server Message
|
|
Block (SMB) component.
|
|
resolution: |
|
|
Automatic method:
|
|
Ask your system administrator to establish the recommended configuration via GP, set the following UI path to 'Enabled':
|
|
'Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Force logoff when logon hours expire'
|
|
query: |
|
|
TBD
|
|
purpose: Informational
|
|
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_2.3.11.6, CIS_not_completed
|
|
contributors: marcosd4h
|
|
---
|
|
apiVersion: v1
|
|
kind: policy
|
|
spec:
|
|
name: >
|
|
CIS - Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'
|
|
platforms: win10
|
|
platform: windows
|
|
description: |
|
|
The "Process even if the Group Policy objects have not changed" option updates and reapplies policies even if the policies have not changed.
|
|
resolution: |
|
|
To establish the recommended configuration via GP, set the following UI path to Enabled, then set the Process even if the Group Policy objects have not changed option to TRUE (checked):
|
|
'Computer Configuration\Policies\Administrative Templates\System\Group Policy\Configure registry policy processing'
|
|
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template GroupPolicy.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
|
|
query: |
|
|
TBD
|
|
# Registry key wont change on edit (from 1 to 0)
|
|
# SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Group Policy\\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\NoGPOListChanges' AND data = 0);
|
|
purpose: Informational
|
|
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_not_completed, CIS_domain_joined_required, CIS_bullet_18.8.21.3, CIS_not_completed
|
|
contributors: rachelelysia
|
|
---
|
|
apiVersion: v1
|
|
kind: policy
|
|
spec:
|
|
name: >
|
|
CIS - Ensure 'Continue experiences on this device' is set to 'Disabled'
|
|
platforms: win10
|
|
platform: windows
|
|
description: |
|
|
This policy setting determines whether the Windows device is allowed to participate in cross-device experiences (continue experiences).
|
|
resolution: |
|
|
To establish the recommended configuration via GP, set the following UI path to Disabled:
|
|
'Computer Configuration\Policies\Administrative Templates\System\Group Policy\Continue experiences on this device'
|
|
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template GroupPolicy.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
|
|
query: |
|
|
TBD
|
|
# Registry key wont change on edit (from 1 to 0)
|
|
# SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\EnableCdp' AND data = 0);
|
|
purpose: Informational
|
|
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_not_completed, CIS_domain_joined_required, CIS_bullet_18.8.21.4, CIS_not_completed
|
|
contributors: rachelelysia
|
|
---
|
|
apiVersion: v1
|
|
kind: policy
|
|
spec:
|
|
name: >
|
|
CIS - Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'
|
|
platforms: win10
|
|
platform: windows
|
|
description: |
|
|
This policy setting prevents Group Policy from being updated while the computer is in use.
|
|
This policy setting applies to Group Policy for computers, users and Domain Controllers.
|
|
resolution: |
|
|
To establish the recommended configuration via GP, set the following UI path to Disabled:
|
|
'Computer Configuration\Policies\Administrative Templates\System\Group Policy\Turn off background refresh of Group Policy'
|
|
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template GroupPolicy.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
|
|
query: |
|
|
TBD
|
|
# DisableBkGndGroupPolicy registry path does not exist even with psexec.exe
|
|
# Untested: SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\DisableBkGndGroupPolicy' AND data = 0);
|
|
purpose: Informational
|
|
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_not_completed, CIS_domain_joined_required, CIS_bullet_18.8.21.5
|
|
contributors: rachelelysia
|
|
---
|
|
apiVersion: v1
|
|
kind: policy
|
|
spec:
|
|
name: >
|
|
CIS - Ensure 'Turn off cloud consumer account state content' is set to 'Enabled'
|
|
platforms: win10
|
|
platform: windows
|
|
description: |
|
|
This policy setting determines whether cloud consumer account state content is allowed in all Windows experiences.
|
|
resolution: |
|
|
To establish the recommended configuration via GP, set the following UI path to Enabled:
|
|
'Computer Configuration\Policies\Administrative Templates\Windows Components\Cloud Content\Turn off cloud consumer account state content'
|
|
query: |
|
|
# TBD
|
|
# 'Turn off cloud consumer account state content' does not exist in group policy editor even though CloudContent.admx exists and other policies exist
|
|
# Untested: Select 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\\Windows\\CloudContent\DisableConsumerAccountStateContent' AND data = 1);
|
|
purpose: Informational
|
|
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.14.1, CIS_not_completed
|
|
contributors: rachelelysia
|
|
---
|
|
apiVersion: v1
|
|
kind: policy
|
|
spec:
|
|
name: >
|
|
CIS - Ensure 'Disable OneSettings Downloads' is set to 'Enabled'
|
|
platforms: win11
|
|
platform: windows
|
|
description: |
|
|
This policy is meant for Windows 11.
|
|
This policy setting controls whether Windows attempts to connect with the OneSettings service to download configuration settings.
|
|
resolution: |
|
|
To establish the recommended configuration via GP, set the following UI path to Enabled:
|
|
'Computer Configuration\Policies\Administrative Templates\Windows Components\Data Collection and Preview Builds\Disable OneSettings Downloads'
|
|
query: |
|
|
# Untested on Win11: SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\DisableOneSettingsDownloads' AND data = 1);
|
|
purpose: Informational
|
|
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.17.3, CIS_not_completed
|
|
contributors: rachelelysia
|
|
---
|
|
apiVersion: v1
|
|
kind: policy
|
|
spec:
|
|
name: >
|
|
CIS - Ensure 'Enable OneSettings Auditing' is set to 'Enabled'
|
|
platforms: win11
|
|
platform: windows
|
|
description: |
|
|
This policy is meant for Windows 11.
|
|
This policy setting controls whether Windows records attempts to connect with the OneSettings service to the Operational EventLog.
|
|
resolution: |
|
|
To establish the recommended configuration via GP, set the following UI path to Enabled:
|
|
'Computer Configuration\Policies\Administrative Templates\Windows Components\Data Collection and Preview Builds\Enable OneSettings Auditing'
|
|
query: |
|
|
# Untested on Win11: SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\DataCollection\EnableOneSettingsAuditing' AND data = 1);
|
|
purpose: Informational
|
|
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.17.5, CIS_not_completed
|
|
contributors: rachelelysia
|
|
---
|
|
apiVersion: v1
|
|
kind: policy
|
|
spec:
|
|
name: >
|
|
CIS - Ensure 'Limit Diagnostic Log Collection' is set to 'Enabled'
|
|
platforms: win11
|
|
platform: windows
|
|
description: |
|
|
This policy is meant for Windows 11.
|
|
This policy setting controls whether additional diagnostic logs are collected when more information is needed to troubleshoot a problem on the device.
|
|
resolution: |
|
|
To establish the recommended configuration via GP, set the following UI path to Enabled:
|
|
'Computer Configuration\Policies\Administrative Templates\Windows Components\Data Collection and Preview Builds\Limit Diagnostic Log Collection'
|
|
query: |
|
|
# Untested on Win 11: SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\LimitDiagnosticLogCollection' AND data = 1);
|
|
purpose: Informational
|
|
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.17.6, CIS_not_completed
|
|
contributors: rachelelysia
|
|
---
|
|
apiVersion: v1
|
|
kind: policy
|
|
spec:
|
|
name: >
|
|
CIS - Ensure 'Limit Dump Collection' is set to 'Enabled'
|
|
platforms: win11
|
|
platform: windows
|
|
description: |
|
|
This policy is meant for Windows 11.
|
|
This policy setting limits the type of dumps that can be collected when more information is needed to troubleshoot a problem.
|
|
resolution: |
|
|
To establish the recommended configuration via GP, set the following UI path to Enabled.
|
|
'Computer Configuration\Policies\Administrative Templates\Windows Components\Data Collection and Preview Builds\Limit Dump Collection'
|
|
query: |
|
|
# Untested on Win 11: SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection\LimitDumpCollection' AND data = 1);
|
|
purpose: Informational
|
|
tags: compliance, CIS, CIS_Level1, CIS_win10_enterprise_1.12.0, CIS_bullet_18.9.17.7, CIS_not_completed
|
|
contributors: rachelelysia
|
|
---
|
|
|