Merge pull request #62 from ansible-lockdown/devel

Author: MrSteve81

.github/workflows/devel_pipeline_validation.yml

@@ -6,12 +6,13 @@ name: Ansible Remediate Devel Pipeline Validation
 
 # Controls when the action will run.
 # Triggers the workflow on push or pull request
-# events but only for the devel branch
+# events but only for the devel branch and any branch that contains benchmark in name.
 on:  # yamllint disable-line rule:truthy
   pull_request_target:
     types: [opened, reopened, synchronize]
     branches:
       - devel
+      - benchmark*
     paths:
       - '**.yml'
       - '**.sh'

.github/workflows/devel_pipeline_validation_gpo.yml

@@ -6,12 +6,13 @@ name: GPO Devel Pipeline Validation
 
 # Controls when the action will run.
 # Triggers the workflow on push or pull request
-# events but only for the devel branch
+# events but only for the devel branch and any branch that contains benchmark in name.
 on:  # yamllint disable-line rule:truthy
   pull_request_target:
     types: [opened, reopened, synchronize]
     branches:
       - devel
+      - benchmark*
     paths:
       - '**.yml'
       - '**.sh'

.github/workflows/export_badges_private.yml

@@ -0,0 +1,27 @@
+---
+
+name: Export Private Repo Badges
+
+# Use different minute offsets with the same hourly pattern:
+# Repo Group Suggested Cron Expression Explanation
+# Group A 0 */6 * * * Starts at top of hour
+# Group B 10 */6 * * * Starts art 10 after
+# And So On
+
+on:
+  push:
+    branches:
+      - latest
+  schedule:
+    - cron: '0 */6 * * *'
+  workflow_dispatch:
+
+jobs:
+  export-badges:
+    if: github.event_name == 'workflow_dispatch' || (github.event_name == 'schedule' && startsWith(inputs.repo_name, 'ansible-lockdown/Private-')) || (github.event_name == 'push' && github.ref_name == 'latest')
+    uses: ansible-lockdown/github_windows_IaC/.github/workflows/export_badges_private.yml@self_hosted
+    with:
+      # Full org/repo path passed for GitHub API calls (e.g., ansible-lockdown/Private-Windows-2016-CIS)
+      repo_name: ${{ github.repository }}
+    secrets:
+      BADGE_PUSH_TOKEN: ${{ secrets.BADGE_PUSH_TOKEN }}

.github/workflows/export_badges_public.yml

@@ -0,0 +1,19 @@
+---
+
+name: Export Public Repo Badges
+
+on:
+  push:
+    branches:
+      - main
+      - devel
+  workflow_dispatch:
+
+jobs:
+  export-badges:
+    if: github.repository_visibility == 'public' && (github.event_name == 'workflow_dispatch' || (github.event_name == 'push' && (github.ref_name == 'devel' || github.ref_name == 'main')))
+    uses: ansible-lockdown/github_windows_IaC/.github/workflows/export_badges_public.yml@self_hosted
+    with:
+      repo_name: ${{ github.repository }}
+    secrets:
+      BADGE_PUSH_TOKEN: ${{ secrets.BADGE_PUSH_TOKEN }}

.github/workflows/main_pipeline_validation.yml

@@ -6,12 +6,13 @@ name: Ansible Remediate Main Pipeline Validation
 
 # Controls when the action will run.
 # Triggers the workflow on push or pull request
-# events but only for the devel branch
+# events but only for the main or latest branch
 on:  # yamllint disable-line rule:truthy
   pull_request_target:
     types: [opened, reopened, synchronize]
     branches:
       - main
+      - latest
     paths:
       - '**.yml'
       - '**.sh'

.github/workflows/main_pipeline_validation_gpo.yml

@@ -6,12 +6,13 @@ name: GPO Main Pipeline Validation
 
 # Controls when the action will run.
 # Triggers the workflow on push or pull request
-# events but only for the devel branch
+# events but only for the main or latest branch
 on:  # yamllint disable-line rule:truthy
   pull_request_target:
     types: [opened, reopened, synchronize]
     branches:
       - main
+      - latest
     paths:
       - '**.yml'
       - '**.sh'

.gitignore

@@ -45,3 +45,4 @@ benchparse/
 .github/
 .github/.ansible/.lock
 .ansible/
+.DS_Store

ChangeLog.md

@@ -1,15 +1,28 @@
 # Changelog
 
+## Release 1.1.1
+
+May 2025 Update
+  - Fixed Control 18.6.14.1 For Missing RequirePrivacy=1 in Ansible Hardening. - Thanks @mfortin
+  - Updated Pipelines branches run on.
+  - Updated 18.10.56.3.10.2 value to 60000 from 6000 in Remediate and GPO - Thanks @mfortin
+  - Updated 18.10.79.2 Path In Remediate - Thanks @mfortin
+  - Updated 18.10.92.4.1 ManagePreviewBuildsPolicyValue to 1. - Thanks @mfortin
+
 ## Release 1.1.0
 
+February 2025 Update
+  - Added the cloud lockout cloud tasks import that was removed last release.
+
+## Release 1.0.1
+
 February 2025 Update
   - Added new Readme Badges
   - General Typos and Fixes
   - All Workflows Updated
   - Fixed Control Tag for rule_2.3.10.9
-  - Added the cloud lockout cloud tasks import that was removed last release.
 
 ## Release 1.0.0
 
-February 2025
+February 2025 Update
   - Initial Release of Windows 2016 3.0.0 Benchmark

README.md

@@ -6,30 +6,54 @@
 
 ---
 
+## Public Repository 📣
+
 ![Org Stars](https://img.shields.io/github/stars/ansible-lockdown?label=Org%20Stars&style=social)
 ![Stars](https://img.shields.io/github/stars/ansible-lockdown/Windows-2016-CIS?label=Repo%20Stars&style=social)
 ![Forks](https://img.shields.io/github/forks/ansible-lockdown/Windows-2016-CIS?style=social)
 ![Followers](https://img.shields.io/github/followers/ansible-lockdown?style=social)
 [![Twitter URL](https://img.shields.io/twitter/url/https/twitter.com/AnsibleLockdown.svg?style=social&label=Follow%20%40AnsibleLockdown)](https://twitter.com/AnsibleLockdown)
-
 ![Discord Badge](https://img.shields.io/discord/925818806838919229?logo=discord)
 
+![License](https://img.shields.io/github/license/ansible-lockdown/Windows-2016-CIS?label=License)
+
+## Lint & Pre-Commit Tools 🔧
+
+[![Pre-Commit.ci](https://img.shields.io/endpoint?url=https://ansible-lockdown.github.io/github_windows_IaC/badges/Windows-2016-CIS/pre-commit-ci.json)](https://results.pre-commit.ci/latest/github/ansible-lockdown/Windows-2016-CIS/devel)
+![YamlLint](https://img.shields.io/badge/yamllint-Present-brightgreen?style=flat&logo=yaml&logoColor=white)
+![Ansible-Lint](https://img.shields.io/badge/ansible--lint-Present-brightgreen?style=flat&logo=ansible&logoColor=white)
+
+## Community Release Information 📂
+
 ![Release Branch](https://img.shields.io/badge/Release%20Branch-Main-brightgreen)
-![Release Tag](https://img.shields.io/github/v/tag/ansible-lockdown/Windows-2016-CIS?label=Release%20Tag&&color=success)
+![Release Tag](https://img.shields.io/github/v/tag/ansible-lockdown/Windows-2016-CIS?label=Release%20Tag&color=success)
 ![Main Release Date](https://img.shields.io/github/release-date/ansible-lockdown/Windows-2016-CIS?label=Release%20Date)
+![Benchmark Version Main](https://img.shields.io/endpoint?url=https://ansible-lockdown.github.io/github_windows_IaC/badges/Windows-2016-CIS/benchmark-version-main.json)
+![Benchmark Version Devel](https://img.shields.io/endpoint?url=https://ansible-lockdown.github.io/github_windows_IaC/badges/Windows-2016-CIS/benchmark-version-devel.json)
 
 [![Main Pipeline Status](https://github.com/ansible-lockdown/Windows-2016-CIS/actions/workflows/main_pipeline_validation.yml/badge.svg?)](https://github.com/ansible-lockdown/Windows-2016-CIS/actions/workflows/main_pipeline_validation.yml)
 [![GPO Main Pipeline Status](https://github.com/ansible-lockdown/Windows-2016-CIS/actions/workflows/main_pipeline_validation_gpo.yml/badge.svg?)](https://github.com/ansible-lockdown/Windows-2016-CIS/actions/workflows/main_pipeline_validation_gpo.yml)
 
 [![Devel Pipeline Status](https://github.com/ansible-lockdown/Windows-2016-CIS/actions/workflows/devel_pipeline_validation.yml/badge.svg?)](https://github.com/ansible-lockdown/Windows-2016-CIS/actions/workflows/devel_pipeline_validation.yml)
 [![GPO Devel Pipeline Status](https://github.com/ansible-lockdown/Windows-2016-CIS/actions/workflows/devel_pipeline_validation_gpo.yml/badge.svg?)](https://github.com/ansible-lockdown/Windows-2016-CIS/actions/workflows/devel_pipeline_validation_gpo.yml)
-![Devel Commits](https://img.shields.io/github/commit-activity/m/ansible-lockdown/Windows-2016-CIS/devel?color=dark%20green&label=Devel%20Branch%20Commits)
 
-![Issues Open](https://img.shields.io/github/issues-raw/ansible-lockdown/Windows-2016-CIS?label=Open%20Issues)
-![Issues Closed](https://img.shields.io/github/issues-closed-raw/ansible-lockdown/Windows-2016-CIS?label=Closed%20Issues&&color=success)
+![Devel Commits](https://img.shields.io/github/commit-activity/m/ansible-lockdown/Windows-2016-CIS/devel?color=darkgreen&label=Devel%20Branch%20Commits)
+![Open Issues](https://img.shields.io/github/issues-raw/ansible-lockdown/Windows-2016-CIS?label=Open%20Issues)
+![Closed Issues](https://img.shields.io/github/issues-closed-raw/ansible-lockdown/Windows-2016-CIS?label=Closed%20Issues&color=success)
 ![Pull Requests](https://img.shields.io/github/issues-pr/ansible-lockdown/Windows-2016-CIS?label=Pull%20Requests)
 
-![License](https://img.shields.io/github/license/ansible-lockdown/Windows-2016-CIS?label=License)
+---
+
+## Subscriber Release Information 🔐
+
+![Private Release Branch](https://img.shields.io/endpoint?url=https://ansible-lockdown.github.io/github_windows_IaC/badges/Private-Windows-2016-CIS/release-branch.json)
+![Private Benchmark Version](https://img.shields.io/endpoint?url=https://ansible-lockdown.github.io/github_windows_IaC/badges/Private-Windows-2016-CIS/benchmark-version.json)
+
+[![Private Remediate Pipeline](https://img.shields.io/endpoint?url=https://ansible-lockdown.github.io/github_windows_IaC/badges/Private-Windows-2016-CIS/remediate.json)](https://github.com/ansible-lockdown/Private-Windows-2016-CIS/actions/workflows/main_pipeline_validation.yml)
+[![Private GPO Pipeline](https://img.shields.io/endpoint?url=https://ansible-lockdown.github.io/github_windows_IaC/badges/Private-Windows-2016-CIS/gpo.json)](https://github.com/ansible-lockdown/Private-Windows-2016-CIS/actions/workflows/main_pipeline_validation_gpo.yml)
+
+![Private Pull Requests](https://img.shields.io/endpoint?url=https://ansible-lockdown.github.io/github_windows_IaC/badges/Private-Windows-2016-CIS/prs.json)
+![Private Closed Issues](https://img.shields.io/endpoint?url=https://ansible-lockdown.github.io/github_windows_IaC/badges/Private-Windows-2016-CIS/issues-closed.json)
 
 ---
 

tasks/ansible_hardening/section01_cloud_lockout_order.yml

@@ -1,7 +1,7 @@
 ---
 
 # THE FOLLOWING 3 CONTROLS WILL FAIL UNLESS THEY ARE IN THE FOLLOWING ORDER FOR CLOUD-BASED SYSTEMS
-# CONTROL 1.2.2, CONTROL 1.2.1, CONTROL 1.2.4
+# CONTROL 1.2.2, CONTROL 1.2.4, CONTROL 1.2.1, CONTROL 1.2.3
 - name: "1.2.2 | PATCH | Ensure Account lockout threshold is set to 5 or fewer invalid logon attempt(s), but not 0."
   when: win16cis_rule_1_2_2
   tags:
@@ -121,4 +121,3 @@
     section: System Access
     key: AllowAdministratorLockout
     value: "{{ win16cis_allow_admin_account_lockout }}"
-

tasks/ansible_hardening/section18.yml

@@ -727,7 +727,7 @@
     data: 1
     type: dword
 
-- name: "18.6.14.1 | PATCH | Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all NETLOGON and SYSVOL shares"
+- name: "18.6.14.1 | PATCH | Ensure 'Hardened UNC Paths' is set to 'Enabled, with Require Mutual Authentication, Require Integrity, and Require Privacy set for all NETLOGON and SYSVOL shares"
   when: win16cis_rule_18_6_14_1
   tags:
     - level1-domaincontroller
@@ -737,18 +737,18 @@
     - paths
     - unc
   block:
-    - name: "18.6.14.1 | PATCH | Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all NETLOGON shares"
+    - name: "18.6.14.1 | PATCH | Ensure 'Hardened UNC Paths' is set to 'Enabled, with Require Mutual Authentication, Require Integrity, and Require Privacy set for all NETLOGON and SYSVOL shares"
       ansible.windows.win_regedit:
         path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Networkprovider\Hardenedpaths
         name: "\\\\*\\NETLOGON"
-        data: "RequireMutualAuthentication=1, RequireIntegrity=1"
+        data: "RequireMutualAuthentication=1, RequireIntegrity=1, RequirePrivacy=1"
         type: string
 
-    - name: "18.6.14.1 | PATCH | Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all SYSVOL shares"
+    - name: "18.6.14.1 | PATCH | Ensure 'Hardened UNC Paths' is set to 'Enabled, with Require Mutual Authentication, Require Integrity, and Require Privacy set for all NETLOGON and SYSVOL shares"
       ansible.windows.win_regedit:
         path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Networkprovider\Hardenedpaths
         name: "\\\\*\\SYSVOL"
-        data: "RequireMutualAuthentication=1, RequireIntegrity=1"
+        data: "RequireMutualAuthentication=1, RequireIntegrity=1, RequirePrivacy=1"
         type: string
 
 - name: "18.6.19.2.1 | PATCH | Disable IPv6 Ensure TCPIP6 Parameter DisabledComponents is set to 0xff 255"
@@ -2950,7 +2950,7 @@
   ansible.windows.win_regedit:
     path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Nt\Terminal Services
     name: MaxDisconnectionTime
-    data: 6000
+    data: 60000
     type: dword
 
 - name: "18.10.56.3.11.1 | PATCH | Ensure Do not delete temp folders upon exit is set to Disabled"
@@ -3102,7 +3102,7 @@
     - name: "18.10.79.2 | PATCH | Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled' | Set Variable."
       when: win16cis_allow_windows_ink_workspace == 0 or win16cis_allow_windows_ink_workspace == 1
       ansible.windows.win_regedit:
-        path: HKLM:\SOFTWARE\Microsoft\Policies\Microsoft\WindowsInkWorkspace
+        path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace
         name: AllowWindowsInkWorkspace
         data: "{{ win16cis_allow_windows_ink_workspace }}"
         type: dword
@@ -3411,7 +3411,7 @@
       ansible.windows.win_regedit:
         path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
         name: ManagePreviewBuildsPolicyValue
-        data: 0
+        data: 1
         type: dword
 
 - name: "18.10.92.4.2 | PATCH | Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: 180 or more days'"

tasks/gpo_creation/gpo_section18.yml

@@ -7181,7 +7181,7 @@
     $registryKeyPath = "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services"
     $registryValueName = "MaxDisconnectionTime"
     $type = "DWORD"
-    $desiredValue = 6000
+    $desiredValue = 60000
 
     # Get the current value of the registry key in the GPO
     $currentValue = (Get-GPRegistryValue -Name $gpoName -Key $registryKeyPath -ValueName $registryValueName -ErrorAction SilentlyContinue).Value
@@ -8322,7 +8322,7 @@
         $registryKeyPath = "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate"
         $registryValueName2 = "ManagePreviewBuildsPolicyValue"
         $type2 = "DWORD"
-        $desiredValue2 = 0
+        $desiredValue2 = 1
 
         # Get the current value of the registry key in the GPO
         $currentValue2 = (Get-GPRegistryValue -Name $gpoName -Key $registryKeyPath -ValueName $registryValueName2 -ErrorAction SilentlyContinue).Value