Merge pull request #88 from ansible-lockdown/benchmark_v4.0.0

Benchmark v4.0.0

Author: MrSteve81

.github/.DS_Store

@@ -31,9 +31,12 @@ jobs:
       - uses: actions/first-interaction@main
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
-          pr-message: |-
-            Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown!
-            Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well.
+          issue_message: |-
+              Congrats on opening your first issue and thank you for taking the time to help improve Ansible-Lockdown!
+              Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well.
+          pr_message: |-
+              Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown!
+              Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well.
 
   build-azure-windows:
     # Use the AWS self-hosted runner
@@ -60,7 +63,7 @@ jobs:
     steps:
       # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it.
       - name: Clone ${{ github.event.repository.name }}
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6.0.2
         with:
           ref: ${{ github.event.pull_request.head.sha }}
 
@@ -76,7 +79,7 @@ jobs:
 
       # Pull In OpenTofu Code For Windows Azure
       - name: Clone IaC Repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6.0.2
         with:
           repository: ansible-lockdown/github_windows_IaC
           path: .github/workflows/github_windows_IaC

.github/workflows/devel_pipeline_validation.yml

@@ -31,9 +31,12 @@ jobs:
       - uses: actions/first-interaction@main
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
-          pr-message: |-
-            Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown!
-            Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well.
+          issue_message: |-
+              Congrats on opening your first issue and thank you for taking the time to help improve Ansible-Lockdown!
+              Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well.
+          pr_message: |-
+              Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown!
+              Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well.
 
   build-azure-windows-gpo:
     # Use the AWS self-hosted runner
@@ -60,7 +63,7 @@ jobs:
     steps:
       # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it.
       - name: Clone ${{ github.event.repository.name }}
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6.0.2
         with:
           ref: ${{ github.event.pull_request.head.sha }}
 
@@ -76,7 +79,7 @@ jobs:
 
       # Pull In OpenTofu Code For Windows Azure
       - name: Clone IaC Repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6.0.2
         with:
           repository: ansible-lockdown/github_windows_IaC
           path: .github/workflows/github_windows_IaC

.github/workflows/devel_pipeline_validation_gpo.yml

@@ -49,7 +49,7 @@ jobs:
     steps:
       # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it.
       - name: Clone ${{ github.event.repository.name }}
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6.0.2
         with:
           ref: ${{ github.event.pull_request.head.sha }}
 
@@ -65,7 +65,7 @@ jobs:
 
       # Pull In OpenTofu Code For Windows Azure
       - name: Clone IaC Repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6.0.2
         with:
           repository: ansible-lockdown/github_windows_IaC
           path: .github/workflows/github_windows_IaC

.github/workflows/main_pipeline_validation.yml

@@ -49,7 +49,7 @@ jobs:
     steps:
       # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it.
       - name: Clone ${{ github.event.repository.name }}
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6.0.2
         with:
           ref: ${{ github.event.pull_request.head.sha }}
 
@@ -65,7 +65,7 @@ jobs:
 
       # Pull In OpenTofu Code For Windows Azure
       - name: Clone IaC Repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6.0.2
         with:
           repository: ansible-lockdown/github_windows_IaC
           path: .github/workflows/github_windows_IaC

.github/workflows/main_pipeline_validation_gpo.yml

@@ -16,7 +16,7 @@ jobs:
 
     steps:
       - name: Checkout V4
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6.0.2
 
       - name: Update Galaxy
         uses: ansible-actions/ansible-galaxy-action@main

.github/workflows/update_galaxy.yml

@@ -1,5 +1,21 @@
 # ChangeLog
 
+## Release 4.1.0
+
+April 2026
+  - Updated the cloud based system check for manual overrides. New variable now in the defualt main. Please read the comments for the new variable. 
+  - Updated 18.10.57.3.10.1 variable accept anything between 1 and 900000 in Hardening & GPO.
+  - Updated Section 2 GPO for win_skip_for_test controls. Read comments in default/main.
+  - Issues Addressed:
+    - [#2](https://github.com/ansible-lockdown/Windows-2025-CIS/issues/2) - Thanks @davidstanaway
+    - [#7](https://github.com/ansible-lockdown/Windows-2025-CIS/issues/7) - Thanks @R2J2 (Updated When Statement to take into account Bool now)
+    - [#86](https://github.com/ansible-lockdown/Windows-2022-CIS/issues/86) - Thanks @git-cgallagher (Windows 2022 Issue Added Here To Update 2025)
+    - [#84](https://github.com/ansible-lockdown/Windows-2022-CIS/issues/84) - Thanks @Randriy-bulynko (Windows 2022 Issue Added Here To Update 2025)
+    - [#87](https://github.com/ansible-lockdown/Windows-2022-CIS/issues/87) - Thanks @Randriy-bulynko (Windows 2022 Issue Added Here To Update 2025)
+    - [#83](https://github.com/ansible-lockdown/Windows-2022-CIS/issues/83) - Thanks @exu-g (Windows 2022 Issue Added Here To Update 2025)
+  - PR's Addressed:
+    - [#3](https://github.com/ansible-lockdown/Windows-2025-CIS/pull/3) - Thanks @MatthieuLeboeuf 
+
 September 2025
   - Updated When For Control 18.4.6
   - Updated Title 2.3.10.10

ChangeLog.md

@@ -102,26 +102,58 @@ win22cis_section19: true
 # errors due to missing features or incompatible syntax in earlier versions of Ansible.
 min_ansible_version: "2.16"
 
-# win_skip_for_test is the setting that will skip tasks that may cause changes that will affect the system.
-# Controls that will be skipped:
-# win22cis_rule_2_2_26 - Breaks Local Admin Connection
-# win22cis_rule_2_2_27 - Breaks Local Admin Connection
-# win22cis_rule_2_3_1_3 - Rename default administrator account
-# win22cis_rule_9_3_4 - Enables Firewall Public Rules *Breaks Reboot*
-# win22cis_rule_18_10_89_1_1 - Disables WinRM Allow Client Basic Auth
-# win22cis_rule_18_10_89_1_2 - Disables Client Ensure Allow unencrypted traffic is set to Disabled Control.
-# win22cis_rule_18_10_89_1_3 - Ensure Disallow Digest authentication is set to Enabled
-# win22cis_rule_18_10_89_2_1 - Disables WinRM Allow Service Basic Auth
-# win22cis_rule_18_10_89_2_2 - Disables Remote Server Management through WinRM
-# win22cis_rule_18_10_89_2_3 - Disables Service Ensure Allow unencrypted traffic is set to Disabled Control.
-# win22cis_rule_18_10_90_1 - Disables Remote Shell Access
-win_skip_for_test: true
-
 # Changes will be made that will require a system reboot.
 # The following option will allow whether or not to skip the reboot.
 # Default: true
 skip_reboot: true
 
+# ╔═══════════════════════════════════════════════════════════════════════════════╗
+# ║                          win_skip_for_test                                    ║
+# ║                                                                               ║
+# ║  Skips tasks that may cause disruptive changes to the system during testing.  ║
+# ║                                                                               ║
+# ║  NOTE: When set to true, the corresponding GPO entries for the controls       ║
+# ║  listed below will also not be created. This applies to both the Ansible      ║
+# ║  remediation path and the GPO creation path.                                  ║
+# ║                                                                               ║
+# ║  Controls that will be skipped:                                               ║
+# ║    win22cis_rule_2_2_26       - Breaks Local Admin Connection                 ║
+# ║    win22cis_rule_2_2_27       - Breaks Local Admin Connection                 ║
+# ║    win22cis_rule_2_3_1_3      - Rename default administrator account          ║
+# ║    win22cis_rule_9_3_4        - Enables Firewall Public Rules *Breaks Reboot* ║
+# ║    win22cis_rule_18_10_89_1_1 - Disables WinRM Allow Client Basic Auth        ║
+# ║    win22cis_rule_18_10_89_1_2 - Disables Client Allow Unencrypted Traffic     ║
+# ║    win22cis_rule_18_10_89_1_3 - Disallow Digest Authentication                ║
+# ║    win22cis_rule_18_10_89_2_1 - Disables WinRM Allow Service Basic Auth       ║
+# ║    win22cis_rule_18_10_89_2_2 - Disables Remote Server Management via WinRM   ║
+# ║    win22cis_rule_18_10_89_2_3 - Disables Service Allow Unencrypted Traffic    ║
+# ║    win22cis_rule_18_10_90_1   - Disables Remote Shell Access                  ║
+# ╚═══════════════════════════════════════════════════════════════════════════════╝
+win_skip_for_test: true
+
+# ╔═══════════════════════════════════════════════════════════════════════════════╗
+# ║                     Hosted Virtual System Override                            ║
+# ║                                                                               ║
+# ║  By default, the role auto-detects whether the target is a cloud-based        ║
+# ║  hosted virtual system (Azure, AWS, GCE, DigitalOcean, etc.).                 ║
+# ║                                                                               ║
+# ║  The auto-detection when condition covers the most common combinations of     ║
+# ║  ansible_virtualization_type and ansible_system_vendor, however the number    ║
+# ║  of possible hypervisor/cloud combinations makes it impossible to account     ║
+# ║  for every environment. Known cases where auto-detection has produced         ║
+# ║  incorrect results include VMware vSphere on-prem, AWS GovCloud EC2, and      ║
+# ║  standalone (non-domain) VMware instances where virtualization_type           ║
+# ║  returns 'NA'. In these cases the secedit lockout control order (1.2.1-1.2.4) ║
+# ║  will fail with 'The parameter is incorrect' from secedit.                    ║
+# ║                                                                               ║
+# ║  If you encounter this error, set the override below to force the correct     ║
+# ║  order for your environment manually.                                         ║
+# ║                                                                               ║
+# ║    true  = treat as hosted/cloud virtual system                               ║
+# ║    false = treat as bare-metal or local VM                                    ║
+# ╚═══════════════════════════════════════════════════════════════════════════════╝
+# hosted_virtual_system_override: true
+
 # These variables correspond with the CIS rule IDs or paragraph numbers defined in
 # the CIS benchmark documents.
 # PLEASE NOTE: These work in coordination with the section # group variables and tags.
@@ -347,7 +379,6 @@ win22cis_rule_18_1_1_2: true
 win22cis_rule_18_1_2_2: true
 win22cis_rule_18_1_3: true
 win22cis_rule_18_4_1: true
-# win22cis_rule_18_4_2: true
 win22cis_rule_18_4_2: true
 win22cis_rule_18_4_3: true
 win22cis_rule_18_4_4: true
@@ -827,10 +858,10 @@ win22cis_ldap_client_integrity: 1
 # Log\Microsoft\Windows\NTLM). Configuring this setting to Deny All also conforms to the benchmark.
 # The recommended state for this setting is: Audit All.
 # Note: Possible Valid Settings
-# 1 - Deny All
-# 2 - Audit All
-# Default: 2
-win22cis_restrict_sending_ntlm_traffic: 2
+# 1 - Audit All
+# 2 - Deny All
+# Default: 1
+win22cis_restrict_sending_ntlm_traffic: 1
 
 # 2.3.17.2
 # win22cis_consent_prompt_behavior_admin is the policy setting controls the behavior of the elevation prompt for administrators.
@@ -1052,7 +1083,7 @@ win22cis_remote_encryption_protection_aggressiveness: 1
 # win22cis_idle_rdp_session_disconnect_time is the setting that allows you to specify the maximum amount of time that an active Remote Desktop
 # Services session can be idle (without user input) before it is automatically disconnected.
 # The recommended state for this setting is: Enabled: 15 minutes or less, but not Never (0).
-# 1 min = 60000, 5 min = 300000, 10 min = 600000, 15 min = 900000
+# This now accepts any value between 1 and 900000.
 # Default: 900000
 win22cis_idle_rdp_session_disconnect_time: 900000
 

defaults/main.yml

@@ -29,46 +29,56 @@
 # Current list is elastic and will be updated as we test more cloud based services.
 # Current testing is working in Azure using Hyper-V. We are currently using this for reference:
 # https://github.com/ansible/ansible/blob/905131fc76a07cf89dbc8d33e7a4910da3f10a16/lib/ansible/module_utils/facts/virtual/linux.py#L205
-- name: PRELIM | Set Fact If Cloud-Based System.
+- name: "PRELIM | Set Fact If Cloud-Based System (auto-detect)."
   when:
+    - hosted_virtual_system_override is not defined
     - not ansible_virtualization_type == 'VMware' or
       (ansible_system_vendor == 'Microsoft Corporation' and
       ansible_virtualization_type in ['Hyper-V', 'hvm', 'kvm'])
   tags: always
   ansible.builtin.set_fact:
     prelim_win22cis_cloud_based_system: true
 
-- name: PRELIM | Obtain Then Load Default And User Hives
+- name: "PRELIM | Set Fact If Cloud-Based System (manual override)."
+  when: hosted_virtual_system_override is defined
+  tags: always
+  ansible.builtin.set_fact:
+    prelim_win22cis_cloud_based_system: "{{ hosted_virtual_system_override }}"
+
+# ╔═══════════════════════════════════════════════════════════════════════════════╗
+# ║              PRELIM | Section 19 HKU Scope (Per CIS Specification)            ║
+# ║                                                                               ║
+# ║  Section 19 targets domain-joined interactive users only. The correct         ║
+# ║  source is HKEY_USERS subkeys already loaded in the registry by Windows       ║
+# ║  at logon — no manual NTUSER.DAT loading is required or recommended.          ║
+# ║                                                                               ║
+# ║  Per CIS, include only subkeys where:                                         ║
+# ║    - SID begins with S-1-5-21-*  (domain interactive users)                   ║
+# ║    - Does NOT end with _Classes                                               ║
+# ║    - Is NOT .DEFAULT, S-1-5-18, S-1-5-19, or S-1-5-20                         ║
+# ║    - Is NOT an NT SERVICE SID (S-1-5-80-*)                                    ║
+# ║                                                                               ║
+# ║  If no users are currently logged on, section 19 is not considered out of     ║
+# ║  compliance per CIS. Tasks will simply loop over an empty list.               ║
+# ╚═══════════════════════════════════════════════════════════════════════════════╝
+- name: "PRELIM | Obtain Current Interactive User Hives"
   when: win22cis_section19
   tags: always
   block:
-    - name: PRELIM | Obtain Then Load Default And User Hives | Load default user hive (Account that all new users get created from profile)
-      ansible.windows.win_shell: REG LOAD HKU\DEFAULT C:\Users\Default\NTUSER.DAT
-      changed_when: false
-      failed_when: false
-
-    - name: PRELIM | Obtain Then Load Default And User Hives | Pull all username and SIDs
-      ansible.windows.win_shell: Get-CimInstance -Class Win32_UserAccount -Filter "SID LIKE 'S-1-5-%'" | ForEach-Object { $_.Name + " " + $_.SID }
-      changed_when: false
-      failed_when: false
-      register: prelim_all_users
-
-    - name: PRELIM | Obtain Then Load Default And User Hives | Create results list fact for username and SIDs
-      ansible.builtin.set_fact:
-        prelim_username_and_sid_results_list: "{{ prelim_all_users.stdout_lines | map('split', ' ') | list }}"
-
-    - name: PRELIM | Obtain Then Load Default And User Hives | Load all user hives from username and SIDs list
-      ansible.windows.win_shell: REG LOAD HKU\{{ item.1 }} C:\Users\{{ item.0 }}\NTUSER.DAT
-      changed_when: false
-      failed_when: false
-      loop: "{{ prelim_username_and_sid_results_list }}"
-
-    - name: PRELIM | Obtain Then Load Default And User Hives | Retrieve current users SIDs from HKEY_USERS
-      ansible.windows.win_shell: (Get-ChildItem "REGISTRY::HKEY_USERS").name | Where-Object {$_ -notlike "*_classes"}
+    - name: PRELIM | Obtain Current Interactive User Hives | Retrieve live domain user SIDs from HKEY_USERS
+      vars:
+        hku_script: |
+          $users = (Get-ChildItem 'REGISTRY::HKEY_USERS').Name
+          $users | Where-Object {
+            $_ -match 'S-1-5-21-' -and
+            $_ -notlike '*_Classes' -and
+            $_ -notmatch 'S-1-5-18|S-1-5-19|S-1-5-20' -and
+            $_ -notmatch 'S-1-5-80-'
+          } | ForEach-Object { $_ -replace 'HKEY_USERS\\', '' }
+      ansible.windows.win_shell: "{{ hku_script }}"
       changed_when: false
-      failed_when: false
       register: prelim_current_users_loaded_hku
 
-    - name: PRELIM | Obtain Then Load Default And User Hives | Create list fact for current users SIDs from HKEY_USERS
+    - name: PRELIM | Obtain Current Interactive User Hives | Set list fact for live user SIDs
       ansible.builtin.set_fact:
-        prelim_hku_loaded_list: "{{ prelim_current_users_loaded_hku.stdout | regex_replace('HKEY_USERS\\\\', '') | split }}"
+        prelim_hku_loaded_list: "{{ prelim_current_users_loaded_hku.stdout_lines }}"

tasks/ansible_hardening/prelim.yml

@@ -635,7 +635,7 @@
   when:
     - win22cis_rule_2_2_21
     - prelim_win22cis_is_domain_controller
-    - not win_skip_for_test
+    - not (win_skip_for_test | bool)
   tags:
     - level1-domaincontroller
     - rule_2.2.21
@@ -790,7 +790,7 @@
   when:
     - win22cis_rule_2_2_26
     - prelim_win22cis_is_domain_controller
-    - not win_skip_for_test
+    - not (win_skip_for_test | bool)
   tags:
     - level1-domaincontroller
     - rule_2.2.26
@@ -822,7 +822,7 @@
   when:
     - win22cis_rule_2_2_27
     - prelim_win22cis_is_domain_member
-    - not win_skip_for_test
+    - not (win_skip_for_test | bool)
   tags:
     - level1-memberserver
     - rule_2.2.27
@@ -1604,7 +1604,7 @@
 - name: "2.3.1.3 | PATCH | Configure Accounts Rename administrator account"
   when:
     - win22cis_rule_2_3_1_3
-    - not win_skip_for_test
+    - not (win_skip_for_test | bool)
   tags:
     - level1-domaincontroller
     - level1-memberserver