Merge pull request #76 from ansible-lockdown/devel

Final Move Of v3.0.0 To Main

Author: MrSteve81

ChangeLog.md

@@ -1,14 +1,28 @@
 # ChangeLog
 
+## Release 3.0.5
+September 2025 Update
+- Issues Addressed:
+    - [#73](https://github.com/ansible-lockdown/Windows-2022-CIS/issues/73) - Thank you @ShawnHardwick
+
+## Release 3.0.4
+
+May 2025 Update #2
+  - Issues Addressed:
+    - Fixed 1.1.6 to apply to all systems except for Domain Controllers. This is present in standalone version. - Thanks @mfortin
+    - Re-Verified 18.10.79.2 Paths
+    - Fixed 18.9.26.2 GPO Registry Entry
+
 ## Release 3.0.3
 
 May 2025 Update
-  - Fixed Control 18.6.14.1 For Missing RequirePrivacy=1 in Ansible Hardening. - Thanks @mfortin
-  - Updated 18.10.56.3.10.2 value to 60000 from 6000 in remediate and GPO - Thanks @mfortin
-  - Verified 18.10.79.2 Path In Remediate - Thanks @mfortin
-  - Updated 18.10.92.4.1 ManagePreviewBuildsPolicyValue to 1. - Thanks @mfortin
-  - Updated Pipelines Branches Trigger
-  - Updated Readme with New Badges
+  - Issues Addressed:
+    - Fixed Control 18.6.14.1 For Missing RequirePrivacy=1 in Ansible Hardening. - Thanks @mfortin
+    - Updated 18.10.56.3.10.2 value to 60000 from 6000 in remediate and GPO - Thanks @mfortin
+    - Verified 18.10.79.2 Path In Remediate - Thanks @mfortin
+    - Updated 18.10.92.4.1 ManagePreviewBuildsPolicyValue to 1. - Thanks @mfortin
+    - Updated Pipelines Branches Trigger
+    - Updated Readme with New Badges
 
 ## Release 3.0.2
 

defaults/main.yml

@@ -795,6 +795,17 @@ win22cis_legacy_rc4_hmac_md5_support: false
 # Default: 1
 win22cis_ldap_client_integrity: 1
 
+# 2.3.11.13
+# win22cis_restrict_sending_ntlm_traffic is the policy setting allows the auditing of outgoing NTLM traffic.
+# Events for this setting are recorded in the operational event log (e.g. Applications and Services
+# Log\Microsoft\Windows\NTLM). Configuring this setting to Deny All also conforms to the benchmark.
+# The recommended state for this setting is: Audit All.
+# Note: Possible Valid Settings
+# 1 - Deny All
+# 2 - Audit All
+# Default: 2
+win22cis_restrict_sending_ntlm_traffic: 2
+
 # 2.3.17.2
 # win22cis_consent_prompt_behavior_admin is the policy setting controls the behavior of the elevation prompt for administrators.
 # Configuring this setting to Prompt for credentials on the secure desktop also conforms to the benchmark.

tasks/ansible_hardening/section01.yml

@@ -128,7 +128,7 @@
 - name: "1.1.6 | PATCH | Ensure Relax minimum password length limits is set to Enabled."
   when:
     - win22cis_rule_1_1_6
-    - prelim_win22cis_is_domain_member
+    - not prelim_win22cis_is_domain_controller
   tags:
     - level1-memberserver
     - rule_1.1.6

tasks/ansible_hardening/section02.yml

@@ -3215,11 +3215,34 @@
     - NIST800-53R5_AU-3_1
     - NIST800-53R5_AU-7
     - NIST800-53R5_AU-12
-  ansible.windows.win_regedit:
-    path: HKLM:\SYSTEM\Currentcontrolset\Control\Lsa\MSV1_0
-    name: RestrictSendingNTLMTraffic
-    data: 2
-    type: dword
+  block:
+    - name: "2.3.11.13 | PATCH | Ensure Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers is set to Audit all or higher. | Apply Variable To Registry."
+      when:
+        - win22cis_restrict_sending_ntlm_traffic == 1 or
+          win22cis_restrict_sending_ntlm_traffic == 2
+      ansible.windows.win_regedit:
+        path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
+        name: RestrictSendingNTLMTraffic
+        data: "{{ win22cis_restrict_sending_ntlm_traffic }}"
+        type: dword
+
+    - name: "2.3.11.13 | AUDIT | Ensure Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers is set to Audit all or higher. | Warning Check For Variable."
+      when:
+        - win22cis_restrict_sending_ntlm_traffic == 0 or
+          win22cis_restrict_sending_ntlm_traffic > 2
+      ansible.builtin.debug:
+        msg:
+          - "Warning!! You have an invalid variable set for win22cis_restrict_sending_ntlm_traffic. Please read"
+          - "the notes for the variable and make the necessary change to the variable to be in compliance."
+
+    - name: "2.3.11.13 | AUDIT | Ensure Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers is set to Audit all or higher. | Warn Count."
+      vars:
+        warn_control_id: '2.3.11.13'
+      when:
+        - win22cis_restrict_sending_ntlm_traffic == 0 or
+          win22cis_restrict_sending_ntlm_traffic > 2
+      ansible.builtin.import_tasks:
+        file: warning_facts.yml
 
 - name: "2.3.13.1 | PATCH | Ensure Shutdown Allow system to be shut down without having to log on is set to Disabled"
   when: win22cis_rule_2_3_13_1

tasks/ansible_hardening/section18.yml

@@ -4672,7 +4672,7 @@
     - name: "18.10.79.2 | PATCH | Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled' | Set Variable."
       when: win22cis_allow_windows_ink_workspace == 0 or win22cis_allow_windows_ink_workspace == 1
       ansible.windows.win_regedit:
-        path: HKLM:\SOFTWARE\Microsoft\Policies\Microsoft\WindowsInkWorkspace
+        path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace
         name: AllowWindowsInkWorkspace
         data: "{{ win22cis_allow_windows_ink_workspace }}"
         type: dword

tasks/gpo_creation/gpo_section02.yml

@@ -4933,9 +4933,7 @@
   register: rule_2_3_11_12_results
 
 - name: "2.3.11.13 | GPO | Ensure Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers is set to Audit all or higher"
-  when:
-    - win22cis_rule_2_3_11_13
-    - "'(Skipped)' not in item"
+  when: win22cis_rule_2_3_11_13
   tags:
     - level1-domaincontroller
     - level1-memberserver
@@ -4954,31 +4952,55 @@
     - NIST800-53R5_AU-3_1
     - NIST800-53R5_AU-7
     - NIST800-53R5_AU-12
-  ansible.windows.win_shell: |
-    $gpoName = "{{ item }}"
-    $registryKeyPath = "HKLM\SYSTEM\Currentcontrolset\Control\Lsa\MSV1_0"
-    $registryValueName = "RestrictSendingNTLMTraffic"
-    $type = "DWORD"
-    $desiredValue = 2
+  block:
+    - name: "2.3.11.13 | AUDIT | Ensure Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers is set to Audit all or higher. | Set GPO Value.."
+      when:
+        - "'(Skipped)' not in item"
+        - win22cis_restrict_sending_ntlm_traffic == 1 or
+          win22cis_restrict_sending_ntlm_traffic == 2
+      ansible.windows.win_shell: |
+        $gpoName = "{{ item }}"
+        $registryKeyPath = "HKLM\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0"
+        $registryValueName = "RestrictSendingNTLMTraffic"
+        $type = "DWORD"
+        $desiredValue = {{ win22cis_restrict_sending_ntlm_traffic }}
 
-    # Get the current value of the registry key in the GPO
-    $currentValue = (Get-GPRegistryValue -Name $gpoName -Key $registryKeyPath -ValueName $registryValueName -ErrorAction SilentlyContinue).Value
+        # Get the current value of the registry key in the GPO
+        $currentValue = (Get-GPRegistryValue -Name $gpoName -Key $registryKeyPath -ValueName $registryValueName -ErrorAction SilentlyContinue).Value
 
-    # Check if the current value is equal to the desired value
-    if ($currentValue -ne $desiredValue) {
-        # If not, set the registry value to the desired value
-        Set-GPRegistryValue -Name $gpoName -Key $registryKeyPath -ValueName $registryValueName -Type $type -Value $desiredValue
-        Write-Output "Patched"
-    } else {
-        Write-Output "No Change Needed"
-    }
-  loop:
-    - "{{ win22cis_l1_dc_gpo_name ~ ( '(Skipped)' if not win22cis_l1_dc_gpo else '' ) }}"
-    - "{{ win22cis_l1_ms_gpo_name ~ ( '(Skipped)' if not win22cis_l1_ms_gpo else '' ) }}"
-  loop_control:
-    label: "{{ item }}"
-  changed_when: '"Patched" in rule_2_3_11_13_results.stdout'
-  register: rule_2_3_11_13_results
+        # Check if the current value is equal to the desired value
+        if ($currentValue -ne $desiredValue) {
+            # If not, set the registry value to the desired value
+            Set-GPRegistryValue -Name $gpoName -Key $registryKeyPath -ValueName $registryValueName -Type $type -Value $desiredValue
+            Write-Output "Patched"
+        } else {
+            Write-Output "No Change Needed"
+        }
+      loop:
+        - "{{ win22cis_l1_dc_gpo_name ~ ( '(Skipped)' if not win22cis_l1_dc_gpo else '' ) }}"
+        - "{{ win22cis_l1_ms_gpo_name ~ ( '(Skipped)' if not win22cis_l1_ms_gpo else '' ) }}"
+      loop_control:
+        label: "{{ item }}"
+      changed_when: '"Patched" in rule_2_3_11_13_results.stdout'
+      register: rule_2_3_11_13_results
+
+    - name: "2.3.11.13 | AUDIT | Ensure Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers is set to Audit all or higher. | Warning Check For Variable."
+      ansible.builtin.debug:
+        msg:
+          - "Warning!! You have an invalid variable set for win22cis_restrict_sending_ntlm_traffic. Please read"
+          - "the notes for the variable and make the necessary change to the variable to be in compliance."
+      when:
+        - win22cis_restrict_sending_ntlm_traffic == 0 or
+          win22cis_restrict_sending_ntlm_traffic > 2
+
+    - name: "2.3.11.13 | AUDIT | Ensure Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers is set to Audit all or higher. | Warn Count."
+      ansible.builtin.import_tasks:
+        file: warning_facts.yml
+      vars:
+        warn_control_id: '2.3.11.13'
+      when:
+        - win22cis_restrict_sending_ntlm_traffic == 0 or
+          win22cis_restrict_sending_ntlm_traffic > 2
 
 - name: "2.3.13.1 | GPO | Ensure Shutdown Allow system to be shut down without having to log on is set to Disabled"
   when:

tasks/gpo_creation/gpo_section18.yml

@@ -4684,7 +4684,7 @@
   ansible.windows.win_shell: |
     $gpoName = "{{ item }}"
     $registryKeyPath = "HKLM\SOFTWARE\Policies\Microsoft\Windows\System"
-    $registryValueName = "AllowCustomSSPsAPs"
+    $registryValueName = "RunAsPPL"
     $type = "DWORD"
     $desiredValue = 0