fleet/ee/cis/win-10/cis-policy-queries.yml

---
# The latest version of CIS Benchmarks for Windows 10 standalone is version 1.0.1
apiVersion: v1
kind: policy
spec:
  name: CIS - Ensure 'Enforce password history' is set to '24' or more passwords
  platforms: win10
  platform: windows
  description: |
    This policy check determines the number of renewed, unique passwords that have to be associated with a user account before you can reuse an old password.    
  resolution: |
    Automatic method:
    Ask your system administrator to establish the recommended configuration via GP, set the following UI path to 24 or more passwords:
    'Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Enforce password history'    
  query: |
    SELECT 1 FROM security_profile_info WHERE password_history_size >= 24;    
  purpose: Informational
  tags: compliance, CIS, CIS_Level1, CIS1.1.1
  contributors: marcosd4h
---
apiVersion: v1
kind: policy
spec:
  name: CIS - Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'
  platforms: win10
  platform: windows
  description: |
    This policy setting defines how long a user can use their password before it expires.    
  resolution: |
    Automatic method:
    Ask your system administrator to establish the recommended configuration via GP, set the
    following UI path to 365 or fewer days, but not 0:
    'Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Maximum password age'    
  query: |
    SELECT 1 FROM security_profile_info WHERE (maximum_password_age <= 365 AND maximum_password_age != 0);    
  purpose: Informational
  tags: compliance, CIS, CIS_Level1, CIS1.1.2
  contributors: marcosd4h
---
apiVersion: v1
kind: policy
spec:
  name: CIS - Ensure 'Minimum password age' is set to '1 or more days'
  platforms: win10
  platform: windows
  description: |
    This policy setting determines the number of days that you must use a password before you can
    change it. The range of values for this policy setting is between 1 and 999 days.    
  resolution: |
    Automatic method:
    Ask your system administrator to establish the recommended configuration via GP, set the
    following UI path to 1 or more days:
    'Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Minimum password age'    
  query: |
    SELECT 1 FROM security_profile_info WHERE minimum_password_age >= 1;    
  purpose: Informational
  tags: compliance, CIS, CIS_Level1, CIS1.1.3
  contributors: marcosd4h
---
apiVersion: v1
kind: policy
spec:
  name: CIS - Ensure 'Minimum password length' is set to '14 or more characters' 
  platforms: win10
  platform: windows
  description: |
    This policy setting determines the least number of characters that make up a password for a user account.    
  resolution: |
    Automatic method:
    Ask your system administrator to establish the recommended configuration via GP, set the
    following UI path to 14 or more characters
    'Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Minimum password length'    
  query: |
    SELECT 1 FROM security_profile_info WHERE minimum_password_length >= 14;    
  purpose: Informational
  tags: compliance, CIS, CIS_Level1, CIS1.1.4
  contributors: marcosd4h
---
apiVersion: v1
kind: policy
spec:
  name: CIS - Ensure 'Password must meet complexity requirements' is set to 'Enabled' 
  platforms: win10
  platform: windows
  description: |
    This policy setting checks all new passwords to ensure that they meet basic requirements for
    strong passwords. Passwords that contain only alphanumeric characters are extremely easy to
    discover with several publicly available tools.    
  resolution: |
    Automatic method:
    Ask your system administrator to establish the recommended configuration via GP, set the
    following UI path to 'Enabled':
    'Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Password must meet complexity requirements'    
  query: |
    SELECT 1 FROM security_profile_info WHERE password_complexity = 1;    
  purpose: Informational
  tags: compliance, CIS, CIS_Level1, CIS1.1.5
  contributors: marcosd4h
---
apiVersion: v1
kind: policy
spec:
  name: CIS - Ensure 'Relax minimum password length limits' is set to 'Enabled'
  platforms: win10
  platform: windows
  description: |
    This policy setting determines whether the minimum password length setting can be increased beyond the legacy limit of 14 characters.    
  resolution: |
    Automatic method:
    Ask your system administrator to establish the recommended configuration via GP, set the
    following UI path to 'Enabled':
    'Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Relax minimum password length limits'    
  query: |
    SELECT 1 FROM registry WHERE (path = 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SAM\\RelaxMinimumPasswordLengthLimits' AND data != 0);    
  purpose: Informational
  tags: compliance, CIS, CIS_Level1, CIS1.1.6
  contributors: marcosd4h
---
apiVersion: v1
kind: policy
spec:
  name: CIS - Ensure 'Store passwords using reversible encryption' is set to 'Disabled'
  platforms: win10
  platform: windows
  description: |
    This policy setting determines whether the operating system stores passwords in a way that uses
    reversible encryption, which provides support for application protocols that require knowledge
    of the user's password for authentication purposes. Passwords that are stored with reversible
    encryption are essentially the same as plaintext versions of the passwords.    
  resolution: |
    Automatic method:
    Ask your system administrator to establish the recommended configuration via GP, set the following UI path to 'Disabled':
    'Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Store passwords using reversible encryption'    
  query: |
    SELECT 1 FROM security_profile_info WHERE clear_text_password = 0;    
  purpose: Informational
  tags: compliance, CIS, CIS_Level1, CIS1.1.7
  contributors: marcosd4h