Releases: ansible-lockdown/Windows-2019-CIS
Benchmark V3.0.1 CIS - Release 3.1.1
What's Changed
- Benchmark v3.0.0 Updates by @MrSteve81 in ansible-lockdown/Windows-2016-CIS#59
- Benchmark v3.0.0 Updates by @MrSteve81 in ansible-lockdown/Windows-2016-CIS#60
- Benchmark v3.0.0 Updates by @MrSteve81 in ansible-lockdown/Windows-2016-CIS#61
- Release 1.1.1 Updates by @MrSteve81 in ansible-lockdown/Windows-2016-CIS#62
- Update To Workflows and Changelog by @MrSteve81 in ansible-lockdown/Windows-2016-CIS#65
May 2025 Update
Fixed Control 18.6.14.1 For Missing RequirePrivacy=1 in Ansible Hardening And title. - Thanks @mfortin
Updated 18.10.56.3.10.2 value to 60000 from 6000 in remediate and GPO - Thanks @mfortin
Updated 18.10.79.2 Path In Remediate - Thanks @mfortin
Updated 18.10.92.4.1 ManagePreviewBuildsPolicyValue to 1. - Thanks @mfortin
Updated Pipelines Branches Trigger
Updated Readme with New Badges
Full Changelog: v1.3.0...3.1.1
Contributors
Assets 2
Updated CIS Benchmark V3.0.1
Based on Windows Server 2019 CIS V3.0.1
What's Changed
- Control 2.3.10.9 fix by @MrSteve81 in #117
- Cloud bug fix by @MrSteve81 in #118
- Cloud Fix And Tag Fix by @MrSteve81 in #119
Full Changelog: 3.0.0...3.1.0
Contributors
Assets 2
Benchmark V3.0.1 CIS
Based on Windows Server 2019 CIS V3.0.1
What's Changed
‼️ Be aware there were major changes to this release. The entire structure of the playbook has changed with many new additions. Please check the change log for additional notes. ‼️
What's Changed
- Added the ability create tailored Group Policy Objects (GPOs) compliant with CIS benchmarks using Ansible.
- Custom GPOs based around variables in defaults/main.
- New variables for the GPO creation.
- Turn on and off controls to add them to the GPOs.
- More flexibility in the way the GPOs are created for Lvl1 and Lvl2.
- Banner Update
- NIST Tags Added
- Updated prelim Set system facts based on gather facts module naming.
- Updated all win_regedit paths to reflect capitalized System/Software registry entries.
- Removed all "state: present" (Default) value from the "win_regedit" module.
- Updated tasks in the prelim and post to also headers matched the section.
- Updated when's with "primary domain controller" to "domain controller"
- Verified all controls meet new CIS standards for 3.0.1
- Updated when's with "primary domain controller" to "domain controller"
- Fixed meta for galaxy.
- Removed Control 9.2.3 and moved all tasks left from 9.2.4 - 9.2.8 to 9.2.3 - 9.2.7
- Removed Control 9.2.8 from Default Main
- Control 18.9.5.2 has a new option for variables.
- Updated tasks to align with Windows2019CISv3.0.1 release
- Updated LegalNoticeCaption var with title fix - Thank you @rlmass
- Updated when's with "primary domain controller" to "domain controller"
- Updated PRELIM | Set Fact If Cloud Based System to include ansible_system_vendor. - Thanks @mfortin
- Updated Pipelines - Thanks @mfortin
- Updated DisableBkGndGroupPolicy To 0 "Disabled" - Thanks @dennisharder-alight
- Updated ManagePreviewBuildsPolicyValue To 0 "Disabled" - Thanks @dennisharder-al
- Removed all "state: present" (Default) value from the "win_regedit" module.
- Update set_fact prelim vars with prefix prelim_ throughout the playbook
General Other Updates
Issues Addressed:
- #101 - Thanks @dennisharder-alight
- #103 - Thanks @Crombell95
- #104 - Thanks @devallan
- #107 - Thanks @animatco & @kpi-nourman
- ansible-lockdown/Windows-2022-CIS#49 - Thanks @animatco
- 2024 Feb Updates: Bug and Typo Fixes by @frederickw082922 in #95
- Update Of Default Main by @MrSteve81 in #97
- 2024 April Update: Section 1.2.x Logic, Section 19 HKU Improvement, Handler Fixes, Prelim Fixes by @frederickw082922 in #100
- Fix CIS control ids by @mfortin in #99
- 2024 Fix Updates - Fix for #101 by @frederickw082922 in #102
- Dec24 Issue Updates by @MrSteve81 in #106
- V3.0.1 Release by @MrSteve81 in #112
New Contributors
Full Changelog: 2.0.0...3.0.*0
Contributors
Assets 2
Benchmark 2.0.0 Updates
CIS Version: 2.0.0
CIS Version Release Benchmark v2.0.0 - 04-14-2023
REMOVE - 18.5.4 (L1) Ensure 'Configure DNS over HTTPS (DoH) name resolution' is set to 'Enabled: Allow DoH' or higher
UPDATE - 18.9.89 'Allow Windows Ink Workspace' TO 'Enabled: On, but disallow access above lock' OR 'Enabled: Disabled'
UPDATE - Section changes from Windows 11 Release 22H2 Administrative Templates
UPDATE – 18.10.87 (L1) 'Turn on PowerShell Transcription' is set to 'Disabled' TO 'Enabled'
ADD - 1.2 (L1) Ensure 'Allow Administrator account lockout' is set to 'Enabled'
REMOVE - 2.3.1 (L1) Ensure 'Accounts: Administrator account status' is set to 'Disabled'
ADD - 18.4 (L1) Ensure 'Configure RPC packet level privacy setting for incoming connections' is set to 'Enabled'
MOVE - 18.4 (L1) Ensure 'Limits print driver installation to Administrators' is set to 'Enabled' TO 18.7
ADD - 18.4 (L1) Ensure 'LSA Protection' is set to 'Enabled'
ADD - 18.6.4 (L1) Ensure 'Configure NetBIOS settings' is set to 'Enabled: Disable NetBIOS name resolution on public networks'
ADD - 18.7 (L1) Ensure 'Configure Redirection Guard' is set to 'Enabled: Redirection Guard Enabled'
ADD - 18.7 (L1) Ensure 'Configure RPC connection settings: Protocol to use for outgoing RPC connections' is set to 'Enabled: RPC over TCP'
ADD - 18.7 (L1) Ensure 'Configure RPC connection settings: Use authentication for outgoing RPC connections' is set to 'Enabled: Default'
ADD - 18.7 (L1) Ensure 'Configure RPC listener settings: Protocols to allow for incoming RPC connections' is set to 'Enabled: RPC over TCP'
ADD - 18.7 (L1) Ensure 'Configure RPC listener settings: Authentication protocol to use for incoming RPC connections' is set to 'Enabled: Negotiate' or higher
ADD - 18.7 (L1) Ensure 'Manage processing of Queue- specific files' is set to 'Enabled: Limit Queue-specific files to Color profiles'
ADD - 18.10.17 (L1) Ensure 'Enable App Installer' is set to 'Disabled'
ADD - 18.10.17 (L1) Ensure 'Enable App Installer Experimental Features' is set to 'Disabled'
ADD - 18.10.17 (L1) Ensure 'Enable App Installer Hash Override' is set to 'Disabled'
ADD - 18.10.17 (L1) Ensure 'Enable App Installer ms- appinstaller protocol' is set to 'Disabled'
UPDATE - 18.10.43.6.1 (L1) Ensure 'Configure Attack Surface Reduction rules' with additional ASR rule for "Block abuse of exploited vulnerable signed drivers"
ADD - 18.10.59 (L2) Ensure 'Allow search highlights' is set to 'Disabled'
ADD - 18.7 (L1) Ensure 'Configure RPC over TCP port' is set to 'Enabled: 0'
Benchmark 1.3.0 Updates
CIS Version: 1.3.0
CIS Version Release Date: 3-18-2022
Enhancements
- Issues Closed
- Benchmarks 1.2.1 - 1.2.3 Put In Correct Order To Take Into Account System Defaults.
- Benchmark 1.1.7 - Added
- Benchmark 2.2.37 - Added Variable To Choose If Exchange Server Installed.
- Benchmark 2.3.6.5 - Added Variable
- Benchmark 2.3.7.3 - Added Variable
- Benchmark 2.3.7.6 - Added Variable
- Benchmark 2.3.7.7 - Added Variable
- Benchmark 18.4.9 - Added Variable
- Benchmark 18.4.12 - Added Variable
- Benchmark 18.8.3.1 - Old setting was set to disabled, new benchmark calls for enabled. Updated registry value.
- Benchmark 18.9.12.1 - Calls For Disabled, Updated and Changed Registry Entry To Disable.
- Benchmark 18.9.17.2 - Calls For Enabled, Updated and Changed Registry Entry To Enable.
- Benchmark 18.9.27.1.2 - Added Variable
- Benchmark 18.9.27.2.2 - Added Variable
- Benchmark 18.9.27.3.2 - Added Variable
- Benchmark 18.9.27.4.2 - Added Variable
- Benchmark 18.9.64.1 - Added
- Benchmark 18.9.65.3.10.1 - Added Variable
- Benchmark 18.9.65.3.10.2 - Updated the registry entry time to 1 Min per CIS.
- Benchmark 19.3.3 - Added Variable
- Benchmark 19.1.3.4 - Removed Not A Valid Control
What's Changed
- Win 2019 CIS v1.3.0 release by @MrSteve81 in #66
- Yamllint Update, Yamllint Check, Ansible-lint Check, Module Names Update, Banner Fix, Bug #67 by @MrSteve81 in #68
- April pipeline fixes, Workflow files, Added Cloud Support For Tasks 1.2.1 - 3 by @MrSteve81 in #71
- Update Changelog by @MrSteve81 in #73
- April pipeline fixes for offer variable by @MrSteve81 in #74
- Win Skip For Test Name Update, Set system facts based on gather facts module default vars by @MrSteve81 in #76
- Templates Update, Cloud Control Fixed, When Statement Fixes, Workflow by @MrSteve81 in #78
- Updated Changelog For Version Release, Whitespaces, Meta Data, Readme Update by @MrSteve81 in #79
- Update To CIS 1.3 by @MrSteve81 in #81
- Update Changelog by @MrSteve81 in #84
- Workflow update by @MrSteve81 in #83
New Contributors
- @MrSteve81 made their first contribution in #66
Full Changelog: 1.2.0...1.3.0
Contributors
Assets 2
Benchmark 1.3.0
Issue Fixes and Control Additions
CIS Version: 1.1.0 01-14-2020
Issue Fixes:
#37 - 18.9.59.3.11.1 - Updated level tags
#38 - 18.1.2.2 - Implemented control
#39 - 18.3.1 - Implemented control
#40 - 2.3.1.5/2.3.1.6 - Created variables for values
#41 - 2.2.47 - Updated value
#42 - 2.2.18 - Added logic for Hyper-V role not being installed
Enhancements:
Fixed linting issues to work with Galaxy
Implemented 18.1.3
Implemented 18.2.1
Implemented 18.2.2
Implemented 18.2.3
Implemented 18.2.4
Implemented 18.2.5
Implemented 18.2.6
Implemented 18.3.2
Implemented 18.3.5
Issue Fixes
CIS Version: 1.1.0 01-14-2020
Issues Addressed:
#14 - 18.3.4 - Bad data value
#15 - 18.3.6 - Bad data value
#16 - 18.5.21.1 - Bad data value
#17 - 18.9.77.13.3.1 - Bad regkey name
#18 - 18.9.95.1 - Bad data value
#19 - 18.9.95.2 - Bad data value
#21 - 18.9.26.3.1 - Bad regkey path
#23 - 18.9.26.1.1 - Bad data type
#24 - 19.7.4.1 - Bad data value
#25 - 2.3.6.4 - Bad data value
#26 - 2.3.11.4 - Bad data value
#27 - 17.5.1 - Bad shell command (fixed success:enable to failure:enable)
#28 - 9.1.4/9.2.4/9.3.4 - Bad data value
Minor fixes and adjustments
Initial Release
CIS Version: 1.1.0 01-14-2020