diff --git a/_modules/win_lgpo_ash.py b/_modules/win_lgpo_ash.py index 38c9d5d..81e76dc 100644 --- a/_modules/win_lgpo_ash.py +++ b/_modules/win_lgpo_ash.py @@ -98,6 +98,8 @@ def __init__(self): "REG_DWORD": "REG_DWORD", "SZ": "REG_SZ", "REG_SZ": "REG_SZ", + "MULTISZ": "REG_MULTI_SZ", + "REG_MULTI_SZ": "REG_MULTI_SZ", }, "hives": { "COMPUTER": "Machine", @@ -512,6 +514,8 @@ def _buildKnownDataSearchString( this_element_value = struct.pack(b"Q", int(reg_data)) elif reg_vtype == "REG_SZ": this_element_value = _encode_string(reg_data) + elif reg_vtype == "REG_MULTI_SZ": + this_element_value = _encode_string(reg_data) return b"".join( [ "[".encode("utf-16-le"), diff --git a/ash-windows/Convert_STIG_Policies.md b/ash-windows/Convert_STIG_Policies.md index 2bf2a8e..974c692 100644 --- a/ash-windows/Convert_STIG_Policies.md +++ b/ash-windows/Convert_STIG_Policies.md @@ -1,31 +1,69 @@ +- Download the latest available DISA-provided GPO baseline zip file: https://public.cyber.mil/stigs/gpo/ + +- Unzip the GPO baseline file on your computer + +- Open the unzipped folder and browse to the desired baseline to update + +- To identify the STIG GPO baseline associated with each GUID, you have to navigate into the GUID directories and open gpreport.xml. The tag near the top in the xml will identify the STIG baseline provided + +- Depending on the baseline, the `Machine` and `User` policies maybe under the same GUID or separate GUIDs. In either case, the following steps still applies + + - Open `{GUID}\DomainSysvol\GPO\Machine` and copy `registry.pol` to the `stig/` folder, renaming it to `machine_registry.pol`. Skip this step if `registry.pol` is missing or contains no policies (e.g. File size is very small) + + - Check for `audit.csv` and `GptTmpl.inf` files under `{GUID}\DomainSysvol\GPO\Machine\microsoft\windows nt\` and copy them to `stig/` + + - Open `{GUID}\DomainSysvol\GPO\User` and copy `registry.pol` to the `stig/` folder, renaming it to `user_registry.pol`. Again, skip if `registry.pol` is missing or contains no policies (e.g. File size is very small) + + - Run the PowerShell code below from the root of the ash-windows-formula repo + ```powershell $baselines = @( - 'IE_10', - 'IE_11', - 'IE_8', - 'IE_9', - 'Windows_2008ServerR2_DC', - 'Windows_2008ServerR2_MS', - 'Windows_2012ServerR2_DC', - 'Windows_2012ServerR2_MS', - 'Windows_8.1', + 'IE_11' 'Windows_10' + 'Windows_11' + 'Windows_2012ServerR2_DC' + 'Windows_2012ServerR2_MS' + 'Windows_2016Server_DC' + 'Windows_2016Server_MS' + 'Windows_2019Server_DC' + 'Windows_2019Server_MS' + 'Windows_2022Server_DC' + 'Windows_2022Server_MS' ) foreach ($baseline in $baselines) { - $dir = Resolve-Path ".\ash-windows\stig\$baseline" - $StigInf = "${dir}\stig.inf" - $StigTxt = "${dir}\stig.txt" + $dir = ".\ash-windows\stig\$baseline" + $gpttmpl_inf = "$dir\GptTmpl.inf" + $user_pol = "$dir\user_registry.pol" + $machine_pol = "$dir\machine_registry.pol" + + $TxtFile = "$gpttmpl_inf" + $YmlFile = "$(Resolve-Path $dir)\gpttmpl.yml" + if (Test-Path "$TxtFile") + { + Write-Host "Processing $TxtFile" + python .\ash-windows\tools\convert-lgpo-policy.py ` + src_file="$TxtFile" ` + dst_file="$YmlFile" + } + else + { + # We need to ensure an empty YmlFile exists + $null = New-Item -Path $YmlFile -ItemType File -Force + } - $PolFile = $StigInf - $YmlFile = "${dir}\stig.inf.yml" - if (Test-Path "$PolFile") + $TxtFile = "${dir}\user_registry.txt" + $YmlFile = "${dir}\user_registry.yml" + rm $TxtFile -ErrorAction SilentlyContinue + if (Test-Path "$user_pol") { - Write-Host "Processing $PolFile" + .\ash-windows\tools\LGPO.exe /parse /u "$user_pol" | Out-File "$TxtFile" -Encoding "ascii" + Write-Host "Processing $TxtFile" python .\ash-windows\tools\convert-lgpo-policy.py ` - src_file="$PolFile" ` + src_file="$TxtFile" ` dst_file="$YmlFile" + rm $TxtFile -ErrorAction SilentlyContinue } else { @@ -33,19 +71,26 @@ foreach ($baseline in $baselines) $null = New-Item -Path $YmlFile -ItemType File -Force } - $PolFile = $StigTxt - $YmlFile = "${dir}\stig.txt.yml" - if (Test-Path "$PolFile") + $TxtFile = "${dir}\machine_registry.txt" + $YmlFile = "${dir}\machine_registry.yml" + #rm $TxtFile -ErrorAction SilentlyContinue + if (Test-Path "$machine_pol") { - Write-Host "Processing $PolFile" + .\ash-windows\tools\LGPO.exe /parse /m "$machine_pol" | Out-File "$TxtFile" -Encoding "ascii" + Write-Host "Processing $TxtFile" python .\ash-windows\tools\convert-lgpo-policy.py ` - src_file="$PolFile" ` + src_file="$TxtFile" ` dst_file="$YmlFile" + rm $TxtFile -ErrorAction SilentlyContinue } else { # We need to ensure an empty YmlFile exists $null = New-Item -Path $YmlFile -ItemType File -Force } + # Combine yml files into single stig.yml file + Get-Content -Path ${dir}\user_registry.yml,${dir}\machine_registry.yml,$dir\gpttmpl.yml | Set-Content -Path $dir\stig.yml } ``` + +- After a new `stig.yml` file is generated for the STIG baseline being updated, open the file and inspect the policies. The DISA policies may have placeholder values that need to be updated or remove as needed for your environment. diff --git a/ash-windows/iavm/iavm.yml b/ash-windows/iavm/iavm.yml index 5c6e0e7..720f5e9 100644 --- a/ash-windows/iavm/iavm.yml +++ b/ash-windows/iavm/iavm.yml @@ -12,7 +12,11 @@ vtype: DWORD - key: Computer\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\SecureProtocols policy_type: regpol - value: '2688' + value: '2048' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Internet Explorer\IEDevTools\Disabled + policy_type: regpol + value: '1' vtype: DWORD - key: Computer\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server\Enabled policy_type: regpol diff --git a/ash-windows/map.jinja b/ash-windows/map.jinja index a82f953..13c023f 100644 --- a/ash-windows/map.jinja +++ b/ash-windows/map.jinja @@ -22,9 +22,11 @@ # Define default role for supported Operating System versions {% set default_role = salt.grains.filter_by( { + '2022Server' : 'MemberServer', '2019Server' : 'MemberServer', '2016Server' : 'MemberServer', '2012ServerR2' : 'MemberServer', + '11' : 'Workstation', '10' : 'Workstation', }, grain='osrelease' diff --git a/ash-windows/sct/Windows_11/audit.csv b/ash-windows/sct/Windows_11/audit.csv new file mode 100644 index 0000000..05cae4d --- /dev/null +++ b/ash-windows/sct/Windows_11/audit.csv @@ -0,0 +1,24 @@ +Machine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting,Setting Value +,System,Audit Credential Validation,{0cce923f-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Security Group Management,{0cce9237-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit User Account Management,{0cce9235-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit PNP Activity,{0cce9248-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit Process Creation,{0cce922b-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit Account Lockout,{0cce9217-69ae-11d9-bed3-505054503030},Failure,,2 +,System,Audit Group Membership,{0cce9249-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit Logon,{0cce9215-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Other Logon/Logoff Events,{0cce921c-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Special Logon,{0cce921b-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit Detailed File Share,{0cce9244-69ae-11d9-bed3-505054503030},Failure,,2 +,System,Audit File Share,{0cce9224-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Other Object Access Events,{0cce9227-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Removable Storage,{0cce9245-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Audit Policy Change,{0cce922f-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit Authentication Policy Change,{0cce9230-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit MPSSVC Rule-Level Policy Change,{0cce9232-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Other Policy Change Events,{0cce9234-69ae-11d9-bed3-505054503030},Failure,,2 +,System,Audit Sensitive Privilege Use,{0cce9228-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Other System Events,{0cce9214-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Security State Change,{0cce9210-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit Security System Extension,{0cce9211-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit System Integrity,{0cce9212-69ae-11d9-bed3-505054503030},Success and Failure,,3 diff --git a/ash-windows/sct/Windows_11/gpttmpl.yml b/ash-windows/sct/Windows_11/gpttmpl.yml new file mode 100644 index 0000000..bd597aa --- /dev/null +++ b/ash-windows/sct/Windows_11/gpttmpl.yml @@ -0,0 +1,188 @@ +- name: LSAAnonymousNameLookup + policy_type: secedit + value: '0' +- name: SeSecurityPrivilege + policy_type: secedit + value: '*S-1-5-32-544' +- name: SeRestorePrivilege + policy_type: secedit + value: '*S-1-5-32-544' +- name: SeTakeOwnershipPrivilege + policy_type: secedit + value: '*S-1-5-32-544' +- name: SeBackupPrivilege + policy_type: secedit + value: '*S-1-5-32-544' +- name: SeDenyRemoteInteractiveLogonRight + policy_type: secedit + value: '*S-1-5-113' +- name: SeCreatePermanentPrivilege + policy_type: secedit + value: '' +- name: SeManageVolumePrivilege + policy_type: secedit + value: '*S-1-5-32-544' +- name: SeLoadDriverPrivilege + policy_type: secedit + value: '*S-1-5-32-544' +- name: SeLockMemoryPrivilege + policy_type: secedit + value: '' +- name: SeDenyNetworkLogonRight + policy_type: secedit + value: '*S-1-5-113' +- name: SeNetworkLogonRight + policy_type: secedit + value: '*S-1-5-32-544,*S-1-5-32-555' +- name: SeImpersonatePrivilege + policy_type: secedit + value: '*S-1-5-32-544,*S-1-5-6,*S-1-5-19,*S-1-5-20' +- name: SeCreateTokenPrivilege + policy_type: secedit + value: '' +- name: SeCreateGlobalPrivilege + policy_type: secedit + value: '*S-1-5-32-544,*S-1-5-6,*S-1-5-19,*S-1-5-20' +- name: SeSystemEnvironmentPrivilege + policy_type: secedit + value: '*S-1-5-32-544' +- name: SeCreatePagefilePrivilege + policy_type: secedit + value: '*S-1-5-32-544' +- name: SeInteractiveLogonRight + policy_type: secedit + value: '*S-1-5-32-544,*S-1-5-32-545' +- name: SeRemoteShutdownPrivilege + policy_type: secedit + value: '*S-1-5-32-544' +- name: SeDebugPrivilege + policy_type: secedit + value: '*S-1-5-32-544' +- name: SeTrustedCredManAccessPrivilege + policy_type: secedit + value: '' +- name: SeProfileSingleProcessPrivilege + policy_type: secedit + value: '*S-1-5-32-544' +- name: SeTcbPrivilege + policy_type: secedit + value: '' +- name: SeEnableDelegationPrivilege + policy_type: secedit + value: '' +- key: MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption + policy_type: regpol + value: '1' + vtype: SZ +- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\InactivityTimeoutSecs + policy_type: regpol + value: '900' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword + policy_type: regpol + value: '0' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RestrictNullSessAccess + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Control\Lsa\SCENoApplyLegacyAuditPolicy + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec + policy_type: regpol + value: '537395200' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel + policy_type: regpol + value: '5' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\allownullsessionfallback + policy_type: regpol + value: '0' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec + policy_type: regpol + value: '537395200' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\requirestrongkey + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\sealsecurechannel + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\requiresignorseal + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\signsecurechannel + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\requiresecuritysignature + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin + policy_type: regpol + value: '2' + vtype: DWORD +- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser + policy_type: regpol + value: '0' + vtype: DWORD +- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Control\Lsa\RestrictRemoteSAM + policy_type: regpol + value: O:BAG:BAD:(A;;RC;;;BA) + vtype: SZ diff --git a/ash-windows/sct/Windows_11/init.sls b/ash-windows/sct/Windows_11/init.sls new file mode 100644 index 0000000..53afed9 --- /dev/null +++ b/ash-windows/sct/Windows_11/init.sls @@ -0,0 +1 @@ +{#- Placeholder init file #} diff --git a/ash-windows/sct/Windows_11/machine_registry.yml b/ash-windows/sct/Windows_11/machine_registry.yml new file mode 100644 index 0000000..b4d8703 --- /dev/null +++ b/ash-windows/sct/Windows_11/machine_registry.yml @@ -0,0 +1,379 @@ +- key: Computer\Software\Microsoft\WcmSvc\wifinetworkmanager\config\AutoConnectAllowedOEM + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Microsoft\Windows\CurrentVersion\Policies\CredUI\EnumerateAdministrators + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun + policy_type: regpol + value: '255' + vtype: DWORD +- key: Computer\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebServices + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoAutorun + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Microsoft\Windows\CurrentVersion\Policies\System\MSAOptional + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableAutomaticRestartSignOn + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\AllowEncryptionOracle + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Biometrics\FacialFeatures\EnhancedAntiSpoofing + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Internet Explorer\Feeds\DisableEnclosureDownload + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\DCSettingIndex + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\ACSettingIndex + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\AppPrivacy\LetAppsActivateWithVoiceAboveLock + policy_type: regpol + value: '2' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\CloudContent\DisableWindowsConsumerFeatures + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\CredentialsDelegation\AllowProtectedCreds + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\EventLog\Application\MaxSize + policy_type: regpol + value: '32768' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\EventLog\Security\MaxSize + policy_type: regpol + value: '196608' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\EventLog\System\MaxSize + policy_type: regpol + value: '32768' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\Explorer\NoAutoplayfornonVolume + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\GameDVR\AllowGameDVR + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\NoGPOListChanges + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\NoBackgroundPolicy + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\Installer\EnableUserControl + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\Kernel DMA Protection\DeviceEnumerationPolicy + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\LanmanWorkstation\AllowInsecureGuestAuth + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\Network Connections\NC_ShowSharedAccessUI + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths\\\*\SYSVOL + policy_type: regpol + value: RequireMutualAuthentication=1,RequireIntegrity=1 + vtype: SZ +- key: Computer\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths\\\*\NETLOGON + policy_type: regpol + value: RequireMutualAuthentication=1,RequireIntegrity=1 + vtype: SZ +- key: Computer\Software\Policies\Microsoft\Windows\Personalization\NoLockScreenCamera + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\Personalization\NoLockScreenSlideshow + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\EnableScriptBlockLogging + policy_type: regpol + value: '1' + vtype: DWORD +- action: DELETE + key: Computer\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\EnableScriptBlockInvocationLogging + policy_type: regpol +- key: Computer\Software\Policies\Microsoft\Windows\System\AllowDomainPINLogon + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\System\EnumerateLocalUsers + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\System\EnableSmartScreen + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\System\ShellSmartScreenLevel + policy_type: regpol + value: Block + vtype: SZ +- key: Computer\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy\fBlockNonDomain + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\Windows Search\AllowIndexingEncryptedStoresOrItems + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\WinRM\Client\AllowDigest + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\WinRM\Client\AllowUnencryptedTraffic + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\WinRM\Client\AllowBasic + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\WinRM\Service\AllowUnencryptedTraffic + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\WinRM\Service\DisableRunAs + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\WinRM\Service\AllowBasic + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows NT\DNSClient\EnableMulticast + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows NT\Printers\DisableWebPnPDownload + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint\RestrictDriverInstallationToAdministrators + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows NT\Rpc\RestrictRemoteClients + policy_type: regpol + value: '1' + vtype: DWORD +- action: DELETE + key: Computer\Software\Policies\Microsoft\Windows NT\Terminal Services\fUseMailto + policy_type: regpol +- key: Computer\Software\Policies\Microsoft\Windows NT\Terminal Services\fAllowToGetHelp + policy_type: regpol + value: '0' + vtype: DWORD +- action: DELETE + key: Computer\Software\Policies\Microsoft\Windows NT\Terminal Services\fAllowFullControl + policy_type: regpol +- action: DELETE + key: Computer\Software\Policies\Microsoft\Windows NT\Terminal Services\MaxTicketExpiry + policy_type: regpol +- action: DELETE + key: Computer\Software\Policies\Microsoft\Windows NT\Terminal Services\MaxTicketExpiryUnits + policy_type: regpol +- key: Computer\Software\Policies\Microsoft\Windows NT\Terminal Services\MinEncryptionLevel + policy_type: regpol + value: '3' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows NT\Terminal Services\fPromptForPassword + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows NT\Terminal Services\fDisableCdm + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows NT\Terminal Services\DisablePasswordSaving + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows NT\Terminal Services\fEncryptRPCTraffic + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\WindowsFirewall\PolicyVersion + policy_type: regpol + value: '538' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\DefaultOutboundAction + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\DisableNotifications + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\EnableFirewall + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\DefaultInboundAction + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging\LogDroppedPackets + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging\LogFileSize + policy_type: regpol + value: '16384' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging\LogSuccessfulConnections + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\EnableFirewall + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\DisableNotifications + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\DefaultInboundAction + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\DefaultOutboundAction + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging\LogSuccessfulConnections + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging\LogDroppedPackets + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging\LogFileSize + policy_type: regpol + value: '16384' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\DefaultOutboundAction + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\EnableFirewall + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\DisableNotifications + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\AllowLocalIPsecPolicyMerge + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\AllowLocalPolicyMerge + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\DefaultInboundAction + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging\LogFileSize + policy_type: regpol + value: '16384' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging\LogDroppedPackets + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging\LogSuccessfulConnections + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\WindowsInkWorkspace\AllowWindowsInkWorkspace + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft Services\AdmPwd\AdmPwdEnabled + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\DisableExceptionChainValidation + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\SYSTEM\CurrentControlSet\Policies\EarlyLaunch\DriverLoadPolicy + policy_type: regpol + value: '3' + vtype: DWORD +- key: Computer\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SMB1 + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\SYSTEM\CurrentControlSet\Services\MrxSmb10\Start + policy_type: regpol + value: '4' + vtype: DWORD +- key: Computer\SYSTEM\CurrentControlSet\Services\Netbt\Parameters\NoNameReleaseOnDemand + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\SYSTEM\CurrentControlSet\Services\Netbt\Parameters\NodeType + policy_type: regpol + value: '2' + vtype: DWORD +- key: Computer\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirect + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRouting + policy_type: regpol + value: '2' + vtype: DWORD +- key: Computer\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\DisableIPSourceRouting + policy_type: regpol + value: '2' + vtype: DWORD diff --git a/ash-windows/sct/Windows_11/user_registry.yml b/ash-windows/sct/Windows_11/user_registry.yml new file mode 100644 index 0000000..73858f2 --- /dev/null +++ b/ash-windows/sct/Windows_11/user_registry.yml @@ -0,0 +1,8 @@ +- key: User\Software\Policies\Microsoft\Windows\CloudContent\DisableThirdPartySuggestions + policy_type: regpol + value: '1' + vtype: DWORD +- key: User\Software\Policies\Microsoft\Windows\CurrentVersion\PushNotifications\NoToastApplicationNotificationOnLockScreen + policy_type: regpol + value: '1' + vtype: DWORD diff --git a/ash-windows/sct/Windows_2022Server_DC/audit.csv b/ash-windows/sct/Windows_2022Server_DC/audit.csv new file mode 100644 index 0000000..96e6b70 --- /dev/null +++ b/ash-windows/sct/Windows_2022Server_DC/audit.csv @@ -0,0 +1,30 @@ +Machine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting,Setting Value +,System,Audit Credential Validation,{0cce923f-69ae-11d9-bed3-505054503030},Failure,,2 +,System,Audit Kerberos Authentication Service,{0cce9242-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Kerberos Service Ticket Operations,{0cce9240-69ae-11d9-bed3-505054503030},Failure,,2 +,System,Audit Computer Account Management,{0cce9236-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit Other Account Management Events,{0cce923a-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit Security Group Management,{0cce9237-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit User Account Management,{0cce9235-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit PNP Activity,{0cce9248-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit Process Creation,{0cce922b-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit Directory Service Access,{0cce923b-69ae-11d9-bed3-505054503030},Failure,,2 +,System,Audit Directory Service Changes,{0cce923c-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit Account Lockout,{0cce9217-69ae-11d9-bed3-505054503030},Failure,,2 +,System,Audit Group Membership,{0cce9249-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit Logon,{0cce9215-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Other Logon/Logoff Events,{0cce921c-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Special Logon,{0cce921b-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit Detailed File Share,{0cce9244-69ae-11d9-bed3-505054503030},Failure,,2 +,System,Audit File Share,{0cce9224-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Other Object Access Events,{0cce9227-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Removable Storage,{0cce9245-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Audit Policy Change,{0cce922f-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit Authentication Policy Change,{0cce9230-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit MPSSVC Rule-Level Policy Change,{0cce9232-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Other Policy Change Events,{0cce9234-69ae-11d9-bed3-505054503030},Failure,,2 +,System,Audit Sensitive Privilege Use,{0cce9228-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Other System Events,{0cce9214-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Security State Change,{0cce9210-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit Security System Extension,{0cce9211-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit System Integrity,{0cce9212-69ae-11d9-bed3-505054503030},Success and Failure,,3 diff --git a/ash-windows/sct/Windows_2022Server_DC/gpttmpl.yml b/ash-windows/sct/Windows_2022Server_DC/gpttmpl.yml new file mode 100644 index 0000000..a1bfa0e --- /dev/null +++ b/ash-windows/sct/Windows_2022Server_DC/gpttmpl.yml @@ -0,0 +1,189 @@ +- name: LSAAnonymousNameLookup + policy_type: secedit + value: '0' +- name: SeSecurityPrivilege + policy_type: secedit + value: '*S-1-5-32-544' +- name: SeCreateTokenPrivilege + policy_type: secedit + value: '' +- name: SeTrustedCredManAccessPrivilege + policy_type: secedit + value: '' +- name: SeRemoteInteractiveLogonRight + policy_type: secedit + value: '*S-1-5-32-544' +- name: SeCreatePagefilePrivilege + policy_type: secedit + value: '*S-1-5-32-544' +- name: SeRemoteShutdownPrivilege + policy_type: secedit + value: '*S-1-5-32-544' +- name: SeLoadDriverPrivilege + policy_type: secedit + value: '*S-1-5-32-544' +- name: SeRestorePrivilege + policy_type: secedit + value: '*S-1-5-32-544' +- name: SeCreateGlobalPrivilege + policy_type: secedit + value: '*S-1-5-32-544,*S-1-5-6,*S-1-5-19,*S-1-5-20' +- name: SeManageVolumePrivilege + policy_type: secedit + value: '*S-1-5-32-544' +- name: SeInteractiveLogonRight + policy_type: secedit + value: '*S-1-5-32-544' +- name: SeEnableDelegationPrivilege + policy_type: secedit + value: '*S-1-5-32-544' +- name: SeCreatePermanentPrivilege + policy_type: secedit + value: '' +- name: SeDebugPrivilege + policy_type: secedit + value: '*S-1-5-32-544' +- name: SeProfileSingleProcessPrivilege + policy_type: secedit + value: '*S-1-5-32-544' +- name: SeBackupPrivilege + policy_type: secedit + value: '*S-1-5-32-544' +- name: SeNetworkLogonRight + policy_type: secedit + value: '*S-1-5-32-544,*S-1-5-11,*S-1-5-9' +- name: SeImpersonatePrivilege + policy_type: secedit + value: '*S-1-5-32-544,*S-1-5-6,*S-1-5-19,*S-1-5-20' +- name: SeSystemEnvironmentPrivilege + policy_type: secedit + value: '*S-1-5-32-544' +- name: SeLockMemoryPrivilege + policy_type: secedit + value: '' +- name: SeTcbPrivilege + policy_type: secedit + value: '' +- name: SeTakeOwnershipPrivilege + policy_type: secedit + value: '*S-1-5-32-544' +- key: MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\allownullsessionfallback + policy_type: regpol + value: '0' + vtype: DWORD +- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\InactivityTimeoutSecs + policy_type: regpol + value: '900' + vtype: DWORD +- key: MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption + policy_type: regpol + value: '1' + vtype: SZ +- key: MACHINE\System\CurrentControlSet\Control\Lsa\SCENoApplyLegacyAuditPolicy + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin + policy_type: regpol + value: '2' + vtype: DWORD +- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser + policy_type: regpol + value: '0' + vtype: DWORD +- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel + policy_type: regpol + value: '5' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec + policy_type: regpol + value: '537395200' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\sealsecurechannel + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec + policy_type: regpol + value: '537395200' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\requiresignorseal + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\signsecurechannel + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\requiresecuritysignature + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\requirestrongkey + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RestrictNullSessAccess + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword + policy_type: regpol + value: '0' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity + policy_type: regpol + value: '2' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\LdapEnforceChannelBinding + policy_type: regpol + value: '2' + vtype: DWORD diff --git a/ash-windows/sct/Windows_2022Server_DC/init.sls b/ash-windows/sct/Windows_2022Server_DC/init.sls new file mode 100644 index 0000000..53afed9 --- /dev/null +++ b/ash-windows/sct/Windows_2022Server_DC/init.sls @@ -0,0 +1 @@ +{#- Placeholder init file #} diff --git a/ash-windows/sct/Windows_2022Server_DC/machine_registry.yml b/ash-windows/sct/Windows_2022Server_DC/machine_registry.yml new file mode 100644 index 0000000..d923acf --- /dev/null +++ b/ash-windows/sct/Windows_2022Server_DC/machine_registry.yml @@ -0,0 +1,327 @@ +- key: Computer\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun + policy_type: regpol + value: '255' + vtype: DWORD +- key: Computer\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoAutorun + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableAutomaticRestartSignOn + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\AllowEncryptionOracle + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Biometrics\FacialFeatures\EnhancedAntiSpoofing + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Internet Explorer\Feeds\DisableEnclosureDownload + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\CredentialsDelegation\AllowProtectedCreds + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\EventLog\Application\MaxSize + policy_type: regpol + value: '32768' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\EventLog\Security\MaxSize + policy_type: regpol + value: '196608' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\EventLog\System\MaxSize + policy_type: regpol + value: '32768' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\Explorer\NoAutoplayfornonVolume + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\NoBackgroundPolicy + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\NoGPOListChanges + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\Installer\EnableUserControl + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\Kernel DMA Protection\DeviceEnumerationPolicy + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\LanmanWorkstation\AllowInsecureGuestAuth + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths\\\*\NETLOGON + policy_type: regpol + value: RequireMutualAuthentication=1,RequireIntegrity=1 + vtype: SZ +- key: Computer\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths\\\*\SYSVOL + policy_type: regpol + value: RequireMutualAuthentication=1,RequireIntegrity=1 + vtype: SZ +- key: Computer\Software\Policies\Microsoft\Windows\Personalization\NoLockScreenCamera + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\Personalization\NoLockScreenSlideshow + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\EnableScriptBlockLogging + policy_type: regpol + value: '1' + vtype: DWORD +- action: DELETE + key: Computer\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\EnableScriptBlockInvocationLogging + policy_type: regpol +- action: CREATEKEY + key: Computer\Software\Policies\Microsoft\Windows\Safer\* + policy_type: regpol +- key: Computer\Software\Policies\Microsoft\Windows\SrpV2\Appx\EnforcementMode + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\SrpV2\Appx\AllowWindows + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\SrpV2\Appx\a9e18c21-ff8f-43cf-b9fc-db40eed693ba\Value + policy_type: regpol + value: \r\n + vtype: SZ +- key: Computer\Software\Policies\Microsoft\Windows\SrpV2\Dll\AllowWindows + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\SrpV2\Exe\EnforcementMode + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\SrpV2\Exe\AllowWindows + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\SrpV2\Exe\61bd6501-5227-446f-b233-faffc7620c58\Value + policy_type: regpol + value: \r\n + vtype: SZ +- key: Computer\Software\Policies\Microsoft\Windows\SrpV2\Exe\61cc3c42-eee8-438a-8c78-a80da093d621\Value + policy_type: regpol + value: \r\n + vtype: SZ +- key: Computer\Software\Policies\Microsoft\Windows\SrpV2\Exe\6676be6c-419b-41a8-8943-39715b98f77a\Value + policy_type: regpol + value: \r\n + vtype: SZ +- key: Computer\Software\Policies\Microsoft\Windows\SrpV2\Exe\881d54fe-3848-4d6a-95fd-42d48ebe60b8\Value + policy_type: regpol + value: \r\n + vtype: SZ +- key: Computer\Software\Policies\Microsoft\Windows\SrpV2\Exe\921cc481-6e17-4653-8f75-050b80acca20\Value + policy_type: regpol + value: \r\n + vtype: SZ +- key: Computer\Software\Policies\Microsoft\Windows\SrpV2\Exe\a61c8b2c-a319-4cd0-9690-d2177cad7b51\Value + policy_type: regpol + value: \r\n + vtype: SZ +- key: Computer\Software\Policies\Microsoft\Windows\SrpV2\Exe\fd686d83-a829-4351-8ff4-27c7de5755d2\Value + policy_type: regpol + value: \r\n + vtype: SZ +- key: Computer\Software\Policies\Microsoft\Windows\SrpV2\Msi\AllowWindows + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\SrpV2\Script\AllowWindows + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\System\EnableSmartScreen + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\System\ShellSmartScreenLevel + policy_type: regpol + value: Block + vtype: SZ +- key: Computer\Software\Policies\Microsoft\Windows\Windows Search\AllowIndexingEncryptedStoresOrItems + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\WinRM\Client\AllowBasic + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\WinRM\Client\AllowUnencryptedTraffic + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\WinRM\Client\AllowDigest + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\WinRM\Service\AllowBasic + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\WinRM\Service\AllowUnencryptedTraffic + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\WinRM\Service\DisableRunAs + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows NT\DNSClient\EnableMulticast + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint\RestrictDriverInstallationToAdministrators + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows NT\Terminal Services\DisablePasswordSaving + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows NT\Terminal Services\fDisableCdm + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows NT\Terminal Services\fPromptForPassword + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows NT\Terminal Services\fEncryptRPCTraffic + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows NT\Terminal Services\MinEncryptionLevel + policy_type: regpol + value: '3' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\WindowsFirewall\PolicyVersion + policy_type: regpol + value: '538' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\DefaultOutboundAction + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\DefaultInboundAction + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\EnableFirewall + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\EnableFirewall + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\DefaultInboundAction + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\DefaultOutboundAction + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\EnableFirewall + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\DefaultOutboundAction + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\DefaultInboundAction + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\WindowsInkWorkspace\AllowWindowsInkWorkspace + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\DisableExceptionChainValidation + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\SYSTEM\CurrentControlSet\Policies\EarlyLaunch\DriverLoadPolicy + policy_type: regpol + value: '3' + vtype: DWORD +- key: Computer\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SMB1 + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\SYSTEM\CurrentControlSet\Services\MrxSmb10\Start + policy_type: regpol + value: '4' + vtype: DWORD +- key: Computer\SYSTEM\CurrentControlSet\Services\Netbt\Parameters\NoNameReleaseOnDemand + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\SYSTEM\CurrentControlSet\Services\Netbt\Parameters\NodeType + policy_type: regpol + value: '2' + vtype: DWORD +- key: Computer\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirect + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRouting + policy_type: regpol + value: '2' + vtype: DWORD +- key: Computer\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\DisableIPSourceRouting + policy_type: regpol + value: '2' + vtype: DWORD diff --git a/ash-windows/sct/Windows_2022Server_DC/user_registry.yml b/ash-windows/sct/Windows_2022Server_DC/user_registry.yml new file mode 100644 index 0000000..fe51488 --- /dev/null +++ b/ash-windows/sct/Windows_2022Server_DC/user_registry.yml @@ -0,0 +1 @@ +[] diff --git a/ash-windows/sct/Windows_2022Server_MS/audit.csv b/ash-windows/sct/Windows_2022Server_MS/audit.csv new file mode 100644 index 0000000..05cae4d --- /dev/null +++ b/ash-windows/sct/Windows_2022Server_MS/audit.csv @@ -0,0 +1,24 @@ +Machine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting,Setting Value +,System,Audit Credential Validation,{0cce923f-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Security Group Management,{0cce9237-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit User Account Management,{0cce9235-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit PNP Activity,{0cce9248-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit Process Creation,{0cce922b-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit Account Lockout,{0cce9217-69ae-11d9-bed3-505054503030},Failure,,2 +,System,Audit Group Membership,{0cce9249-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit Logon,{0cce9215-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Other Logon/Logoff Events,{0cce921c-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Special Logon,{0cce921b-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit Detailed File Share,{0cce9244-69ae-11d9-bed3-505054503030},Failure,,2 +,System,Audit File Share,{0cce9224-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Other Object Access Events,{0cce9227-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Removable Storage,{0cce9245-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Audit Policy Change,{0cce922f-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit Authentication Policy Change,{0cce9230-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit MPSSVC Rule-Level Policy Change,{0cce9232-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Other Policy Change Events,{0cce9234-69ae-11d9-bed3-505054503030},Failure,,2 +,System,Audit Sensitive Privilege Use,{0cce9228-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Other System Events,{0cce9214-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Security State Change,{0cce9210-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit Security System Extension,{0cce9211-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit System Integrity,{0cce9212-69ae-11d9-bed3-505054503030},Success and Failure,,3 diff --git a/ash-windows/sct/Windows_2022Server_MS/gpttmpl.yml b/ash-windows/sct/Windows_2022Server_MS/gpttmpl.yml new file mode 100644 index 0000000..961c07b --- /dev/null +++ b/ash-windows/sct/Windows_2022Server_MS/gpttmpl.yml @@ -0,0 +1,188 @@ +- name: LSAAnonymousNameLookup + policy_type: secedit + value: '0' +- name: SeSecurityPrivilege + policy_type: secedit + value: '*S-1-5-32-544' +- name: SeCreateTokenPrivilege + policy_type: secedit + value: '' +- name: SeTrustedCredManAccessPrivilege + policy_type: secedit + value: '' +- name: SeCreatePagefilePrivilege + policy_type: secedit + value: '*S-1-5-32-544' +- name: SeRemoteShutdownPrivilege + policy_type: secedit + value: '*S-1-5-32-544' +- name: SeLoadDriverPrivilege + policy_type: secedit + value: '*S-1-5-32-544' +- name: SeRestorePrivilege + policy_type: secedit + value: '*S-1-5-32-544' +- name: SeCreateGlobalPrivilege + policy_type: secedit + value: '*S-1-5-20,*S-1-5-19,*S-1-5-6,*S-1-5-32-544' +- name: SeManageVolumePrivilege + policy_type: secedit + value: '*S-1-5-32-544' +- name: SeInteractiveLogonRight + policy_type: secedit + value: '*S-1-5-32-544' +- name: SeEnableDelegationPrivilege + policy_type: secedit + value: '' +- name: SeCreatePermanentPrivilege + policy_type: secedit + value: '' +- name: SeDebugPrivilege + policy_type: secedit + value: '*S-1-5-32-544' +- name: SeProfileSingleProcessPrivilege + policy_type: secedit + value: '*S-1-5-32-544' +- name: SeBackupPrivilege + policy_type: secedit + value: '*S-1-5-32-544' +- name: SeNetworkLogonRight + policy_type: secedit + value: '*S-1-5-11,*S-1-5-32-544' +- name: SeDenyNetworkLogonRight + policy_type: secedit + value: '*S-1-5-114' +- name: SeImpersonatePrivilege + policy_type: secedit + value: '*S-1-5-20,*S-1-5-19,*S-1-5-6,*S-1-5-32-544' +- name: SeSystemEnvironmentPrivilege + policy_type: secedit + value: '*S-1-5-32-544' +- name: SeLockMemoryPrivilege + policy_type: secedit + value: '' +- name: SeTcbPrivilege + policy_type: secedit + value: '' +- name: SeTakeOwnershipPrivilege + policy_type: secedit + value: '*S-1-5-32-544' +- name: SeDenyRemoteInteractiveLogonRight + policy_type: secedit + value: '*S-1-5-113' +- key: MACHINE\System\CurrentControlSet\Control\Lsa\RestrictRemoteSAM + policy_type: regpol + value: O:BAG:BAD:(A;;RC;;;BA) + vtype: SZ +- key: MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword + policy_type: regpol + value: '0' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RestrictNullSessAccess + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\requirestrongkey + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\requiresecuritysignature + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\signsecurechannel + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\requiresignorseal + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec + policy_type: regpol + value: '537395200' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\sealsecurechannel + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec + policy_type: regpol + value: '537395200' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel + policy_type: regpol + value: '5' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser + policy_type: regpol + value: '0' + vtype: DWORD +- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin + policy_type: regpol + value: '2' + vtype: DWORD +- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Control\Lsa\SCENoApplyLegacyAuditPolicy + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption + policy_type: regpol + value: '1' + vtype: SZ +- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\InactivityTimeoutSecs + policy_type: regpol + value: '900' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\allownullsessionfallback + policy_type: regpol + value: '0' + vtype: DWORD diff --git a/ash-windows/sct/Windows_2022Server_MS/init.sls b/ash-windows/sct/Windows_2022Server_MS/init.sls new file mode 100644 index 0000000..53afed9 --- /dev/null +++ b/ash-windows/sct/Windows_2022Server_MS/init.sls @@ -0,0 +1 @@ +{#- Placeholder init file #} diff --git a/ash-windows/sct/Windows_2022Server_MS/machine_registry.yml b/ash-windows/sct/Windows_2022Server_MS/machine_registry.yml new file mode 100644 index 0000000..3d9fa35 --- /dev/null +++ b/ash-windows/sct/Windows_2022Server_MS/machine_registry.yml @@ -0,0 +1,255 @@ +- key: Computer\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun + policy_type: regpol + value: '255' + vtype: DWORD +- key: Computer\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoAutorun + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableAutomaticRestartSignOn + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\AllowEncryptionOracle + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Biometrics\FacialFeatures\EnhancedAntiSpoofing + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Internet Explorer\Feeds\DisableEnclosureDownload + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\CredentialsDelegation\AllowProtectedCreds + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\EventLog\Application\MaxSize + policy_type: regpol + value: '32768' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\EventLog\Security\MaxSize + policy_type: regpol + value: '196608' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\EventLog\System\MaxSize + policy_type: regpol + value: '32768' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\Explorer\NoAutoplayfornonVolume + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\NoBackgroundPolicy + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\NoGPOListChanges + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\Installer\EnableUserControl + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\Kernel DMA Protection\DeviceEnumerationPolicy + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\LanmanWorkstation\AllowInsecureGuestAuth + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths\\\*\SYSVOL + policy_type: regpol + value: RequireMutualAuthentication=1,RequireIntegrity=1 + vtype: SZ +- key: Computer\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths\\\*\NETLOGON + policy_type: regpol + value: RequireMutualAuthentication=1,RequireIntegrity=1 + vtype: SZ +- key: Computer\Software\Policies\Microsoft\Windows\Personalization\NoLockScreenCamera + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\Personalization\NoLockScreenSlideshow + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\EnableScriptBlockLogging + policy_type: regpol + value: '1' + vtype: DWORD +- action: DELETE + key: Computer\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\EnableScriptBlockInvocationLogging + policy_type: regpol +- key: Computer\Software\Policies\Microsoft\Windows\System\EnumerateLocalUsers + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\System\EnableSmartScreen + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\System\ShellSmartScreenLevel + policy_type: regpol + value: Block + vtype: SZ +- key: Computer\Software\Policies\Microsoft\Windows\Windows Search\AllowIndexingEncryptedStoresOrItems + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\WinRM\Client\AllowBasic + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\WinRM\Client\AllowUnencryptedTraffic + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\WinRM\Client\AllowDigest + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\WinRM\Service\AllowBasic + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\WinRM\Service\AllowUnencryptedTraffic + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\WinRM\Service\DisableRunAs + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows NT\DNSClient\EnableMulticast + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint\RestrictDriverInstallationToAdministrators + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows NT\Rpc\RestrictRemoteClients + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows NT\Terminal Services\DisablePasswordSaving + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows NT\Terminal Services\fDisableCdm + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows NT\Terminal Services\fPromptForPassword + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows NT\Terminal Services\fEncryptRPCTraffic + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows NT\Terminal Services\MinEncryptionLevel + policy_type: regpol + value: '3' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\WindowsFirewall\PolicyVersion + policy_type: regpol + value: '538' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\DefaultOutboundAction + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\DefaultInboundAction + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\EnableFirewall + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\EnableFirewall + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\DefaultInboundAction + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\DefaultOutboundAction + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\EnableFirewall + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\DefaultOutboundAction + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\DefaultInboundAction + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\WindowsInkWorkspace\AllowWindowsInkWorkspace + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft Services\AdmPwd\AdmPwdEnabled + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\DisableExceptionChainValidation + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\SYSTEM\CurrentControlSet\Policies\EarlyLaunch\DriverLoadPolicy + policy_type: regpol + value: '3' + vtype: DWORD +- key: Computer\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SMB1 + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\SYSTEM\CurrentControlSet\Services\MrxSmb10\Start + policy_type: regpol + value: '4' + vtype: DWORD +- key: Computer\SYSTEM\CurrentControlSet\Services\Netbt\Parameters\NoNameReleaseOnDemand + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\SYSTEM\CurrentControlSet\Services\Netbt\Parameters\NodeType + policy_type: regpol + value: '2' + vtype: DWORD +- key: Computer\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirect + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRouting + policy_type: regpol + value: '2' + vtype: DWORD +- key: Computer\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\DisableIPSourceRouting + policy_type: regpol + value: '2' + vtype: DWORD diff --git a/ash-windows/sct/Windows_2022Server_MS/user_registry.yml b/ash-windows/sct/Windows_2022Server_MS/user_registry.yml new file mode 100644 index 0000000..fe51488 --- /dev/null +++ b/ash-windows/sct/Windows_2022Server_MS/user_registry.yml @@ -0,0 +1 @@ +[] diff --git a/ash-windows/stig/Update_DOD_CA_certs.md b/ash-windows/stig/Update_DOD_CA_certs.md new file mode 100644 index 0000000..db9cf0e --- /dev/null +++ b/ash-windows/stig/Update_DOD_CA_certs.md @@ -0,0 +1,14 @@ +Over time, as old DoD Root CAs expire and new ones are released, it will be necessary to update [dodcerts.sls](https://github.com/plus3it/ash-windows-formula/blob/master/ash-windows/stig/dodcerts.sls) to incorporate the new DoD CA guidance. + +Process to update `dodcerts.sls`: +- Obtain new Windows SCAP content from [DoD Cyber Exchange ](https://public.cyber.mil/stigs/scap/) and incorporate the new content in the `disa` folder of the [scap-formula](https://github.com/plus3it/scap-formula/tree/master/scap/content/guides/disa) project + +- Generate a SCAP scan and determine if the report indicates any DoD CA-related findings + +- If DoD CA findings exist, there will be a `Fix Text` section providing information on how to resolve the finding. For Windows, it involves downloading the latest version of the InstallRoot Windows installer. InstallRoot can be obtained from the public [DoD Cyber Exchange PKI/PKE](https://public.cyber.mil/pki-pke/tools-configuration-files/) website. + +- Download the desired Windows installer and apply it to the system + +- Re-run the SCAP scan to generate a new report. The new report should indicate the DoD CA findings have been resolved. For each DoD CA finding resolved, there will be a `Test` section indicating the results of the check. The result should indicate `true`. The `Collected Item/State Result` field should contain the registry information that can now be used to update `dodcert.sls` + + diff --git a/ash-windows/stig/Windows_11/init.sls b/ash-windows/stig/Windows_11/init.sls new file mode 100644 index 0000000..3d3309d --- /dev/null +++ b/ash-windows/stig/Windows_11/init.sls @@ -0,0 +1,9 @@ +SV-253283r828933_rule - Data Execution Prevention (DEP) must be configured to at least OptOut: + cmd.run: + - name: BCDEDIT /set "{current}" nx OptOut + - shell: powershell + +SV-253285r828939_rule - The Windows PowerShell 2.0 feature must be disabled on the system: + cmd.run: + - name: Disable-WindowsOptionalFeature -Online -NoRestart -FeatureName MicrosoftWindowsPowerShellV2Root + - shell: powershell diff --git a/ash-windows/stig/Windows_11/stig.yml b/ash-windows/stig/Windows_11/stig.yml new file mode 100644 index 0000000..c71e896 --- /dev/null +++ b/ash-windows/stig/Windows_11/stig.yml @@ -0,0 +1,748 @@ +- key: User\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments\SaveZoneInformation + policy_type: regpol + value: '2' + vtype: DWORD +- key: User\SOFTWARE\Policies\Microsoft\Windows\CloudContent\DisableThirdPartySuggestions + policy_type: regpol + value: '1' + vtype: DWORD +- key: User\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications\NoToastApplicationNotificationOnLockScreen + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\SOFTWARE\Classes\batfile\shell\runasuser\SuppressionPolicy + policy_type: regpol + value: '4096' + vtype: DWORD +- key: Computer\SOFTWARE\Classes\cmdfile\shell\runasuser\SuppressionPolicy + policy_type: regpol + value: '4096' + vtype: DWORD +- key: Computer\SOFTWARE\Classes\exefile\shell\runasuser\SuppressionPolicy + policy_type: regpol + value: '4096' + vtype: DWORD +- key: Computer\SOFTWARE\Classes\mscfile\shell\runasuser\SuppressionPolicy + policy_type: regpol + value: '4096' + vtype: DWORD +- key: Computer\SOFTWARE\Microsoft\wcmsvc\wifinetworkmanager\config\AutoConnectAllowedOEM + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI\EnumerateAdministrators + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartBanner + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebServices + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoAutorun + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun + policy_type: regpol + value: '255' + vtype: DWORD +- key: Computer\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\PreXPSP2ShellProtocolBehavior + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS\PasswordComplexity + policy_type: regpol + value: '4' + vtype: DWORD +- key: Computer\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS\PasswordLength + policy_type: regpol + value: '14' + vtype: DWORD +- key: Computer\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\LAPS\PasswordAgeDays + policy_type: regpol + value: '60' + vtype: DWORD +- key: Computer\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\MSAOptional + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableAutomaticRestartSignOn + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit\ProcessCreationIncludeCmdLine_Enabled + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\DevicePKInitEnabled + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\DevicePKInitBehavior + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures\EnhancedAntiSpoofing + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002\EccCurves + policy_type: regpol + value: 'NistP384 + + NistP256' + vtype: MULTISZ +- key: Computer\SOFTWARE\Policies\Microsoft\FVE\UseAdvancedStartup + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\SOFTWARE\Policies\Microsoft\FVE\EnableBDEWithNoTPM + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\SOFTWARE\Policies\Microsoft\FVE\UseTPM + policy_type: regpol + value: '2' + vtype: DWORD +- key: Computer\SOFTWARE\Policies\Microsoft\FVE\UseTPMPIN + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\SOFTWARE\Policies\Microsoft\FVE\UseTPMKey + policy_type: regpol + value: '2' + vtype: DWORD +- key: Computer\SOFTWARE\Policies\Microsoft\FVE\UseTPMKeyPIN + policy_type: regpol + value: '2' + vtype: DWORD +- key: Computer\SOFTWARE\Policies\Microsoft\FVE\MinimumPIN + policy_type: regpol + value: '6' + vtype: DWORD +- key: Computer\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds\DisableEnclosureDownload + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds\AllowBasicAuthInClear + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\NotifyDisableIEOptions + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\SOFTWARE\Policies\Microsoft\PassportForWork\RequireSecurityDevice + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\SOFTWARE\Policies\Microsoft\PassportForWork\ExcludeSecurityDevices\TPM12 + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\SOFTWARE\Policies\Microsoft\PassportForWork\PINComplexity\MinimumPINLength + policy_type: regpol + value: '6' + vtype: DWORD +- key: Computer\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\DCSettingIndex + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\ACSettingIndex + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\SOFTWARE\Policies\Microsoft\Windows\AppCompat\DisableInventory + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy\LetAppsActivateWithVoiceAboveLock + policy_type: regpol + value: '2' + vtype: DWORD +- key: Computer\SOFTWARE\Policies\Microsoft\Windows\CloudContent\DisableWindowsConsumerFeatures + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowProtectedCreds + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\SOFTWARE\Policies\Microsoft\Windows\DataCollection\LimitEnhancedDiagnosticDataWindowsAnalytics + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\SOFTWARE\Policies\Microsoft\Windows\DataCollection\AllowTelemetry + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization\DODownloadMode + policy_type: regpol + value: '2' + vtype: DWORD +- key: Computer\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\EnableVirtualizationBasedSecurity + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\RequirePlatformSecurityFeatures + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\HypervisorEnforcedCodeIntegrity + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\HVCIMATRequired + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\LsaCfgFlags + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\ConfigureSystemGuardLaunch + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application\MaxSize + policy_type: regpol + value: '32768' + vtype: DWORD +- key: Computer\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security\MaxSize + policy_type: regpol + value: '1024000' + vtype: DWORD +- key: Computer\SOFTWARE\Policies\Microsoft\Windows\EventLog\System\MaxSize + policy_type: regpol + value: '32768' + vtype: DWORD +- key: Computer\SOFTWARE\Policies\Microsoft\Windows\Explorer\NoAutoplayfornonVolume + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\SOFTWARE\Policies\Microsoft\Windows\Explorer\NoDataExecutionPrevention + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\SOFTWARE\Policies\Microsoft\Windows\Explorer\NoHeapTerminationOnCorruption + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\SOFTWARE\Policies\Microsoft\Windows\GameDVR\AllowGameDVR + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\NoBackgroundPolicy + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\NoGPOListChanges + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\SOFTWARE\Policies\Microsoft\Windows\Installer\EnableUserControl + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\SOFTWARE\Policies\Microsoft\Windows\Installer\SafeForScripting + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\SOFTWARE\Policies\Microsoft\Windows\Kernel DMA Protection\DeviceEnumerationPolicy + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation\AllowInsecureGuestAuth + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\SOFTWARE\Policies\Microsoft\Windows\Network Connections\NC_ShowSharedAccessUI + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths\\\*\SYSVOL + policy_type: regpol + value: RequireMutualAuthentication=1, RequireIntegrity=1 + vtype: SZ +- key: Computer\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths\\\*\NETLOGON + policy_type: regpol + value: RequireMutualAuthentication=1, RequireIntegrity=1 + vtype: SZ +- key: Computer\SOFTWARE\Policies\Microsoft\Windows\Personalization\NoLockScreenCamera + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\SOFTWARE\Policies\Microsoft\Windows\Personalization\NoLockScreenSlideshow + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\EnableScriptBlockLogging + policy_type: regpol + value: '1' + vtype: DWORD +- action: DELETE + key: Computer\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\EnableScriptBlockInvocationLogging + policy_type: regpol +- key: Computer\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription\EnableTranscripting + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription\OutputDirectory + policy_type: regpol + value: C + vtype: SZ +- action: DELETE + key: Computer\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription\EnableInvocationHeader + policy_type: regpol +- key: Computer\SOFTWARE\Policies\Microsoft\Windows\System\DontDisplayNetworkSelectionUI + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\SOFTWARE\Policies\Microsoft\Windows\System\EnumerateLocalUsers + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\SOFTWARE\Policies\Microsoft\Windows\System\EnableSmartScreen + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\SOFTWARE\Policies\Microsoft\Windows\System\ShellSmartScreenLevel + policy_type: regpol + value: Block + vtype: SZ +- key: Computer\SOFTWARE\Policies\Microsoft\Windows\System\AllowDomainPINLogon + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy\fMinimizeConnections + policy_type: regpol + value: '3' + vtype: DWORD +- key: Computer\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy\fBlockNonDomain + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\SOFTWARE\Policies\Microsoft\Windows\Windows Search\AllowIndexingEncryptedStoresOrItems + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\AllowBasic + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\AllowUnencryptedTraffic + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\AllowDigest + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\AllowBasic + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\AllowUnencryptedTraffic + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\DisableRunAs + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\SOFTWARE\Policies\Microsoft\Windows NT\Printers\DisableWebPnPDownload + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\SOFTWARE\Policies\Microsoft\Windows NT\Printers\DisableHTTPPrinting + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\SOFTWARE\Policies\Microsoft\Windows NT\Rpc\RestrictRemoteClients + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fAllowToGetHelp + policy_type: regpol + value: '0' + vtype: DWORD +- action: DELETE + key: Computer\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fAllowFullControl + policy_type: regpol +- action: DELETE + key: Computer\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\MaxTicketExpiry + policy_type: regpol +- action: DELETE + key: Computer\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\MaxTicketExpiryUnits + policy_type: regpol +- action: DELETE + key: Computer\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fUseMailto + policy_type: regpol +- key: Computer\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\DisablePasswordSaving + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fDisableCdm + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fPromptForPassword + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fEncryptRPCTraffic + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\MinEncryptionLevel + policy_type: regpol + value: '3' + vtype: DWORD +- key: Computer\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace\AllowWindowsInkWorkspace + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\DisableExceptionChainValidation + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\SYSTEM\CurrentControlSet\Policies\EarlyLaunch\DriverLoadPolicy + policy_type: regpol + value: '3' + vtype: DWORD +- key: Computer\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SMB1 + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\SYSTEM\CurrentControlSet\Services\MrxSmb10\Start + policy_type: regpol + value: '4' + vtype: DWORD +- key: Computer\SYSTEM\CurrentControlSet\Services\Netbt\Parameters\NoNameReleaseOnDemand + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRouting + policy_type: regpol + value: '2' + vtype: DWORD +- key: Computer\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirect + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\DisableIPSourceRouting + policy_type: regpol + value: '2' + vtype: DWORD +- name: MinimumPasswordAge + policy_type: secedit + value: '1' +- name: MaximumPasswordAge + policy_type: secedit + value: '60' +- name: MinimumPasswordLength + policy_type: secedit + value: '14' +- name: PasswordComplexity + policy_type: secedit + value: '1' +- name: PasswordHistorySize + policy_type: secedit + value: '24' +- name: LockoutBadCount + policy_type: secedit + value: '3' +- name: ResetLockoutCount + policy_type: secedit + value: '15' +- name: LockoutDuration + policy_type: secedit + value: '15' +- name: NewAdministratorName + policy_type: secedit + value: '"X_Admin"' +- name: NewGuestName + policy_type: secedit + value: '"Visitor"' +- name: ClearTextPassword + policy_type: secedit + value: '0' +- name: LSAAnonymousNameLookup + policy_type: secedit + value: '0' +- name: EnableAdminAccount + policy_type: secedit + value: '0' +- name: EnableGuestAccount + policy_type: secedit + value: '0' +- key: MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongKey + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge + policy_type: regpol + value: '30' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange + policy_type: regpol + value: '0' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword + policy_type: regpol + value: '0' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RestrictNullSessAccess + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Control\Lsa\SCENoApplyLegacyAuditPolicy + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Control\Lsa\RestrictRemoteSAM + policy_type: regpol + value: O:BAG:BAD:(A;;RC;;;BA) + vtype: SZ +- key: MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Control\Lsa\pku2u\AllowOnlineID + policy_type: regpol + value: '0' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec + policy_type: regpol + value: '537395200' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec + policy_type: regpol + value: '537395200' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\allownullsessionfallback + policy_type: regpol + value: '0' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel + policy_type: regpol + value: '5' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\Enabled + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous + policy_type: regpol + value: '0' + vtype: DWORD +- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText + policy_type: regpol + value: 'You are accessing a U.S. Government (USG) Information System (IS) that is + provided for USG-authorized use only. + + By using this IS (which includes any device attached to this IS), you consent + to the following conditions: + + -The USG routinely intercepts and monitors communications on this IS for purposes + including, but not limited to, penetration testing, COMSEC monitoring, network + operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence + (CI) investigations. + + -At any time, the USG may inspect and seize data stored on this IS. + + -Communications using, or data stored on, this IS are not private, are subject + to routine monitoring, interception, and search, and may be disclosed or used + for any USG-authorized purpose. + + -This IS includes security measures (e.g., authentication and access controls) + to protect USG interests--not for your personal benefit or privacy. + + -Notwithstanding the above, using this IS does not constitute consent to PM, LE + or CI investigative searching or monitoring of the content of privileged communications, + or work product, related to personal representation or services by attorneys, + psychotherapists, or clergy, and their assistants. Such communications and work + product are private and confidential. See User Agreement for details.' + vtype: MULTISZ +- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption + policy_type: regpol + value: US Department of Defense Warning Statement + vtype: SZ +- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\SupportedEncryptionTypes + policy_type: regpol + value: '2147483640' + vtype: DWORD +- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\InactivityTimeoutSecs + policy_type: regpol + value: '900' + vtype: DWORD +- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser + policy_type: regpol + value: '0' + vtype: DWORD +- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin + policy_type: regpol + value: '2' + vtype: DWORD +- key: MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption + policy_type: regpol + value: '1' + vtype: SZ +- key: MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount + policy_type: regpol + value: '10' + vtype: SZ +- name: SeTrustedCredManAccessPrivilege + policy_type: secedit + value: '' +- name: SeNetworkLogonRight + policy_type: secedit + value: '*S-1-5-32-544,*S-1-5-32-555' +- name: SeTcbPrivilege + policy_type: secedit + value: '' +- name: SeInteractiveLogonRight + policy_type: secedit + value: '*S-1-5-32-544,*S-1-5-32-545' +- name: SeBackupPrivilege + policy_type: secedit + value: '*S-1-5-32-544' +- name: SeSystemtimePrivilege + policy_type: secedit + value: '*S-1-5-32-544,*S-1-5-19' +- name: SeCreatePagefilePrivilege + policy_type: secedit + value: '*S-1-5-32-544' +- name: SeCreateTokenPrivilege + policy_type: secedit + value: '' +- name: SeCreateGlobalPrivilege + policy_type: secedit + value: '*S-1-5-32-544,*S-1-5-19,*S-1-5-20,*S-1-5-6' +- name: SeCreatePermanentPrivilege + policy_type: secedit + value: '' +- name: SeCreateSymbolicLinkPrivilege + policy_type: secedit + value: '*S-1-5-32-544' +- name: SeDebugPrivilege + policy_type: secedit + value: '*S-1-5-32-544' +- name: SeEnableDelegationPrivilege + policy_type: secedit + value: '' +- name: SeRemoteShutdownPrivilege + policy_type: secedit + value: '*S-1-5-32-544' +- name: SeLoadDriverPrivilege + policy_type: secedit + value: '*S-1-5-32-544' +- name: SeLockMemoryPrivilege + policy_type: secedit + value: '' +- name: SeSecurityPrivilege + policy_type: secedit + value: '*S-1-5-32-544' +- name: SeSystemEnvironmentPrivilege + policy_type: secedit + value: '*S-1-5-32-544' +- name: SeManageVolumePrivilege + policy_type: secedit + value: '*S-1-5-32-544' +- name: SeProfileSingleProcessPrivilege + policy_type: secedit + value: '*S-1-5-32-544' +- name: SeRestorePrivilege + policy_type: secedit + value: '*S-1-5-32-544' +- name: SeTakeOwnershipPrivilege + policy_type: secedit + value: '*S-1-5-32-544' +- name: SeDenyNetworkLogonRight + policy_type: secedit + value: '*S-1-5-113,*S-1-5-32-546' +- name: SeDenyInteractiveLogonRight + policy_type: secedit + value: '*S-1-5-32-546' +- name: SeDenyRemoteInteractiveLogonRight + policy_type: secedit + value: '*S-1-5-113,*S-1-5-32-546' +- name: SeImpersonatePrivilege + policy_type: secedit + value: '*S-1-5-6,*S-1-5-20,*S-1-5-19,*S-1-5-32-544' diff --git a/ash-windows/stig/Windows_11/stig_audit.csv b/ash-windows/stig/Windows_11/stig_audit.csv new file mode 100644 index 0000000..918fe42 --- /dev/null +++ b/ash-windows/stig/Windows_11/stig_audit.csv @@ -0,0 +1,27 @@ +Machine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting,Setting Value +,System,Audit Credential Validation,{0cce923f-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Security Group Management,{0cce9237-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit User Account Management,{0cce9235-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit PNP Activity,{0cce9248-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit Process Creation,{0cce922b-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Account Lockout,{0cce9217-69ae-11d9-bed3-505054503030},Failure,,2 +,System,Audit Group Membership,{0cce9249-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit Logoff,{0cce9216-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit Logon,{0cce9215-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Other Logon/Logoff Events,{0cce921c-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Special Logon,{0cce921b-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit Detailed File Share,{0cce9244-69ae-11d9-bed3-505054503030},Failure,,2 +,System,Audit File Share,{0cce9224-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Other Object Access Events,{0cce9227-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Removable Storage,{0cce9245-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Audit Policy Change,{0cce922f-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit Authentication Policy Change,{0cce9230-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit Authorization Policy Change,{0cce9231-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit MPSSVC Rule-Level Policy Change,{0cce9232-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Other Policy Change Events,{0cce9234-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Sensitive Privilege Use,{0cce9228-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit IPsec Driver,{0cce9213-69ae-11d9-bed3-505054503030},Failure,,2 +,System,Audit Other System Events,{0cce9214-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Security State Change,{0cce9210-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit Security System Extension,{0cce9211-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit System Integrity,{0cce9212-69ae-11d9-bed3-505054503030},Success and Failure,,3 diff --git a/ash-windows/stig/Windows_2022Server_DC/init.sls b/ash-windows/stig/Windows_2022Server_DC/init.sls new file mode 100644 index 0000000..1ba4ad6 --- /dev/null +++ b/ash-windows/stig/Windows_2022Server_DC/init.sls @@ -0,0 +1 @@ +#No additional stig requirements diff --git a/ash-windows/stig/Windows_2022Server_DC/stig.yml b/ash-windows/stig/Windows_2022Server_DC/stig.yml new file mode 100644 index 0000000..3a2b4f6 --- /dev/null +++ b/ash-windows/stig/Windows_2022Server_DC/stig.yml @@ -0,0 +1,590 @@ +- key: Computer\Software\Microsoft\Windows\CurrentVersion\Policies\CredUI\EnumerateAdministrators + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoAutorun + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun + policy_type: regpol + value: '255' + vtype: DWORD +- key: Computer\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\PreXPSP2ShellProtocolBehavior + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableAutomaticRestartSignOn + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit\ProcessCreationIncludeCmdLine_Enabled + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Internet Explorer\Feeds\DisableEnclosureDownload + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Internet Explorer\Feeds\AllowBasicAuthInClear + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\DCSettingIndex + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\ACSettingIndex + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\AppCompat\DisableInventory + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\CredentialsDelegation\AllowProtectedCreds + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\DataCollection\AllowTelemetry + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\DeliveryOptimization\DODownloadMode + policy_type: regpol + value: '2' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\DeviceGuard\EnableVirtualizationBasedSecurity + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\DeviceGuard\RequirePlatformSecurityFeatures + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\DeviceGuard\HypervisorEnforcedCodeIntegrity + policy_type: regpol + value: '3' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\DeviceGuard\HVCIMATRequired + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\DeviceGuard\LsaCfgFlags + policy_type: regpol + value: '3' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\DeviceGuard\ConfigureSystemGuardLaunch + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\EventLog\Application\MaxSize + policy_type: regpol + value: '32768' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\EventLog\Security\MaxSize + policy_type: regpol + value: '196608' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\EventLog\System\MaxSize + policy_type: regpol + value: '32768' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\Explorer\NoAutoplayfornonVolume + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\Explorer\NoDataExecutionPrevention + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\Explorer\NoHeapTerminationOnCorruption + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\NoBackgroundPolicy + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\NoGPOListChanges + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\Installer\EnableUserControl + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\Installer\SafeForScripting + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\LanmanWorkstation\AllowInsecureGuestAuth + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths\\\*\SYSVOL + policy_type: regpol + value: RequireMutualAuthentication=1, RequireIntegrity=1 + vtype: SZ +- key: Computer\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths\\\*\NETLOGON + policy_type: regpol + value: RequireMutualAuthentication=1, RequireIntegrity=1 + vtype: SZ +- key: Computer\Software\Policies\Microsoft\Windows\Personalization\NoLockScreenSlideshow + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\EnableScriptBlockLogging + policy_type: regpol + value: '1' + vtype: DWORD +- action: DELETE + key: Computer\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\EnableScriptBlockInvocationLogging + policy_type: regpol +- key: Computer\Software\Policies\Microsoft\Windows\PowerShell\Transcription\EnableTranscripting + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\PowerShell\Transcription\OutputDirectory + policy_type: regpol + value: C + vtype: SZ +- action: DELETE + key: Computer\Software\Policies\Microsoft\Windows\PowerShell\Transcription\EnableInvocationHeader + policy_type: regpol +- key: Computer\Software\Policies\Microsoft\Windows\System\DontDisplayNetworkSelectionUI + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\System\EnableSmartScreen + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\System\ShellSmartScreenLevel + policy_type: regpol + value: Block + vtype: SZ +- key: Computer\Software\Policies\Microsoft\Windows\System\EnumerateLocalUsers + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\Windows Search\AllowIndexingEncryptedStoresOrItems + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\WinRM\Client\AllowBasic + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\WinRM\Client\AllowUnencryptedTraffic + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\WinRM\Client\AllowDigest + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\WinRM\Service\AllowBasic + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\WinRM\Service\AllowUnencryptedTraffic + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\WinRM\Service\DisableRunAs + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows NT\Printers\DisableWebPnPDownload + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows NT\Printers\DisableHTTPPrinting + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows NT\Terminal Services\DisablePasswordSaving + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows NT\Terminal Services\fDisableCdm + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows NT\Terminal Services\fPromptForPassword + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows NT\Terminal Services\fEncryptRPCTraffic + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows NT\Terminal Services\MinEncryptionLevel + policy_type: regpol + value: '3' + vtype: DWORD +- key: Computer\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\SYSTEM\CurrentControlSet\Policies\EarlyLaunch\DriverLoadPolicy + policy_type: regpol + value: '3' + vtype: DWORD +- key: Computer\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SMB1 + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\SYSTEM\CurrentControlSet\Services\MrxSmb10\Start + policy_type: regpol + value: '4' + vtype: DWORD +- key: Computer\SYSTEM\CurrentControlSet\Services\Netbt\Parameters\NoNameReleaseOnDemand + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRouting + policy_type: regpol + value: '2' + vtype: DWORD +- key: Computer\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirect + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\DisableIPSourceRouting + policy_type: regpol + value: '2' + vtype: DWORD +- name: MinimumPasswordAge + policy_type: secedit + value: '1' +- name: MaximumPasswordAge + policy_type: secedit + value: '60' +- name: MinimumPasswordLength + policy_type: secedit + value: '14' +- name: PasswordComplexity + policy_type: secedit + value: '1' +- name: PasswordHistorySize + policy_type: secedit + value: '24' +- name: LockoutBadCount + policy_type: secedit + value: '3' +- name: ResetLockoutCount + policy_type: secedit + value: '15' +- name: LockoutDuration + policy_type: secedit + value: '15' +- name: ClearTextPassword + policy_type: secedit + value: '0' +- name: LSAAnonymousNameLookup + policy_type: secedit + value: '0' +- name: EnableGuestAccount + policy_type: secedit + value: '0' +- name: MaxTicketAge + policy_type: secedit + value: '-1' +- name: MaxRenewAge + policy_type: secedit + value: '8' +- name: MaxServiceAge + policy_type: secedit + value: '-1' +- name: TicketValidateClient + policy_type: secedit + value: '1' +- key: MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount + policy_type: regpol + value: '4' + vtype: SZ +- key: MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption + policy_type: regpol + value: '1' + vtype: SZ +- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin + policy_type: regpol + value: '2' + vtype: DWORD +- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser + policy_type: regpol + value: '0' + vtype: DWORD +- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle + policy_type: regpol + value: '0' + vtype: DWORD +- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\InactivityTimeoutSecs + policy_type: regpol + value: '900' + vtype: DWORD +- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\SupportedEncryptionTypes + policy_type: regpol + value: '2147483640' + vtype: DWORD +- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption + policy_type: regpol + value: US Department of Defense Warning Statement + vtype: SZ +- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText + policy_type: regpol + value: 'You are accessing a U.S. Government (USG) Information System (IS) that is + provided for USG-authorized use only. + + By using this IS (which includes any device attached to this IS), you consent + to the following conditions: + + -The USG routinely intercepts and monitors communications on this IS for purposes + including, but not limited to, penetration testing, COMSEC monitoring, network + operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence + (CI) investigations. + + -At any time, the USG may inspect and seize data stored on this IS. + + -Communications using, or data stored on, this IS are not private, are subject + to routine monitoring, interception, and search, and may be disclosed or used + for any USG-authorized purpose. + + -This IS includes security measures (e.g., authentication and access controls) + to protect USG interests--not for your personal benefit or privacy. + + -Notwithstanding the above, using this IS does not constitute consent to PM, LE + or CI investigative searching or monitoring of the content of privileged communications, + or work product, related to personal representation or services by attorneys, + psychotherapists, or clergy, and their assistants. Such communications and work + product are private and confidential. See User Agreement for details.' + vtype: MULTISZ +- key: MACHINE\Software\Policies\Microsoft\Cryptography\ForceKeyProtection + policy_type: regpol + value: '2' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous + policy_type: regpol + value: '0' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\Enabled + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel + policy_type: regpol + value: '5' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\allownullsessionfallback + policy_type: regpol + value: '0' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec + policy_type: regpol + value: '537395200' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec + policy_type: regpol + value: '537395200' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Control\Lsa\pku2u\AllowOnlineID + policy_type: regpol + value: '0' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Control\Lsa\RestrictRemoteSAM + policy_type: regpol + value: O:BAG:BAD:(A;;RC;;;BA) + vtype: SZ +- key: MACHINE\System\CurrentControlSet\Control\Lsa\SCENoApplyLegacyAuditPolicy + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Control\Lsa\UseMachineId + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RestrictNullSessAccess + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword + policy_type: regpol + value: '0' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange + policy_type: regpol + value: '0' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge + policy_type: regpol + value: '30' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongKey + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity + policy_type: regpol + value: '2' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RefusePasswordChange + policy_type: regpol + value: '0' + vtype: DWORD +- name: SeDenyNetworkLogonRight + policy_type: secedit + value: '*S-1-5-32-546' +- name: SeDenyBatchLogonRight + policy_type: secedit + value: '*S-1-5-32-546' +- name: SeDenyInteractiveLogonRight + policy_type: secedit + value: '*S-1-5-32-546' +- name: SeDenyRemoteInteractiveLogonRight + policy_type: secedit + value: '*S-1-5-32-546' +- name: SeInteractiveLogonRight + policy_type: secedit + value: '*S-1-5-32-544' +- name: SeBackupPrivilege + policy_type: secedit + value: '*S-1-5-32-544' +- name: SeCreatePagefilePrivilege + policy_type: secedit + value: '*S-1-5-32-544' +- name: SeCreateGlobalPrivilege + policy_type: secedit + value: '*S-1-5-32-544,*S-1-5-19,*S-1-5-20,*S-1-5-6' +- name: SeCreateSymbolicLinkPrivilege + policy_type: secedit + value: '*S-1-5-32-544' +- name: SeDebugPrivilege + policy_type: secedit + value: '*S-1-5-32-544' +- name: SeRemoteShutdownPrivilege + policy_type: secedit + value: '*S-1-5-32-544' +- name: SeAuditPrivilege + policy_type: secedit + value: '*S-1-5-20,*S-1-5-19' +- name: SeImpersonatePrivilege + policy_type: secedit + value: '*S-1-5-6,*S-1-5-20,*S-1-5-19,*S-1-5-32-544' +- name: SeIncreaseBasePriorityPrivilege + policy_type: secedit + value: '*S-1-5-32-544' +- name: SeLoadDriverPrivilege + policy_type: secedit + value: '*S-1-5-32-544' +- name: SeSecurityPrivilege + policy_type: secedit + value: '*S-1-5-32-544' +- name: SeSystemEnvironmentPrivilege + policy_type: secedit + value: '*S-1-5-32-544' +- name: SeManageVolumePrivilege + policy_type: secedit + value: '*S-1-5-32-544' +- name: SeProfileSingleProcessPrivilege + policy_type: secedit + value: '*S-1-5-32-544' +- name: SeRestorePrivilege + policy_type: secedit + value: '*S-1-5-32-544' +- name: SeTakeOwnershipPrivilege + policy_type: secedit + value: '*S-1-5-32-544' +- name: SeNetworkLogonRight + policy_type: secedit + value: '*S-1-5-32-544,*S-1-5-11,*S-1-5-9' +- name: SeEnableDelegationPrivilege + policy_type: secedit + value: '*S-1-5-32-544' +- name: SeMachineAccountPrivilege + policy_type: secedit + value: '*S-1-5-32-544' +- name: SeRemoteInteractiveLogonRight + policy_type: secedit + value: '*S-1-5-32-544' diff --git a/ash-windows/stig/Windows_2022Server_DC/stig_audit.csv b/ash-windows/stig/Windows_2022Server_DC/stig_audit.csv new file mode 100644 index 0000000..6a7e7ac --- /dev/null +++ b/ash-windows/stig/Windows_2022Server_DC/stig_audit.csv @@ -0,0 +1,26 @@ +Machine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting,Setting Value +,System,Audit Credential Validation,{0cce923f-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Computer Account Management,{0cce9236-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit Other Account Management Events,{0cce923a-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit Security Group Management,{0cce9237-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit User Account Management,{0cce9235-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit PNP Activity,{0cce9248-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit Process Creation,{0cce922b-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit Directory Service Access,{0cce923b-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Directory Service Changes,{0cce923c-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit Account Lockout,{0cce9217-69ae-11d9-bed3-505054503030},Failure,,2 +,System,Audit Group Membership,{0cce9249-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit Logoff,{0cce9216-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit Logon,{0cce9215-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Special Logon,{0cce921b-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit Other Object Access Events,{0cce9227-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Removable Storage,{0cce9245-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Audit Policy Change,{0cce922f-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Authentication Policy Change,{0cce9230-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit Authorization Policy Change,{0cce9231-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit Sensitive Privilege Use,{0cce9228-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit IPsec Driver,{0cce9213-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Other System Events,{0cce9214-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Security State Change,{0cce9210-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit Security System Extension,{0cce9211-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit System Integrity,{0cce9212-69ae-11d9-bed3-505054503030},Success and Failure,,3 diff --git a/ash-windows/stig/Windows_2022Server_MS/init.sls b/ash-windows/stig/Windows_2022Server_MS/init.sls new file mode 100644 index 0000000..1ba4ad6 --- /dev/null +++ b/ash-windows/stig/Windows_2022Server_MS/init.sls @@ -0,0 +1 @@ +#No additional stig requirements diff --git a/ash-windows/stig/Windows_2022Server_MS/stig.yml b/ash-windows/stig/Windows_2022Server_MS/stig.yml new file mode 100644 index 0000000..806d680 --- /dev/null +++ b/ash-windows/stig/Windows_2022Server_MS/stig.yml @@ -0,0 +1,577 @@ +- key: Computer\Software\Microsoft\Windows\CurrentVersion\Policies\CredUI\EnumerateAdministrators + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoAutorun + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun + policy_type: regpol + value: '255' + vtype: DWORD +- key: Computer\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\PreXPSP2ShellProtocolBehavior + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Microsoft\Windows\CurrentVersion\Policies\LAPS\PasswordComplexity + policy_type: regpol + value: '4' + vtype: DWORD +- key: Computer\Software\Microsoft\Windows\CurrentVersion\Policies\LAPS\PasswordLength + policy_type: regpol + value: '14' + vtype: DWORD +- key: Computer\Software\Microsoft\Windows\CurrentVersion\Policies\LAPS\PasswordAgeDays + policy_type: regpol + value: '60' + vtype: DWORD +- key: Computer\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableAutomaticRestartSignOn + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit\ProcessCreationIncludeCmdLine_Enabled + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Internet Explorer\Feeds\DisableEnclosureDownload + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Internet Explorer\Feeds\AllowBasicAuthInClear + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\DCSettingIndex + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\ACSettingIndex + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\AppCompat\DisableInventory + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\CredentialsDelegation\AllowProtectedCreds + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\DataCollection\AllowTelemetry + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\DeliveryOptimization\DODownloadMode + policy_type: regpol + value: '2' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\DeviceGuard\EnableVirtualizationBasedSecurity + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\DeviceGuard\RequirePlatformSecurityFeatures + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\DeviceGuard\HypervisorEnforcedCodeIntegrity + policy_type: regpol + value: '3' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\DeviceGuard\HVCIMATRequired + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\DeviceGuard\LsaCfgFlags + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\DeviceGuard\ConfigureSystemGuardLaunch + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\EventLog\Application\MaxSize + policy_type: regpol + value: '32768' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\EventLog\Security\MaxSize + policy_type: regpol + value: '196608' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\EventLog\System\MaxSize + policy_type: regpol + value: '32768' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\Explorer\NoAutoplayfornonVolume + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\Explorer\NoDataExecutionPrevention + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\Explorer\NoHeapTerminationOnCorruption + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\NoBackgroundPolicy + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\NoGPOListChanges + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\Installer\EnableUserControl + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\Installer\SafeForScripting + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\LanmanWorkstation\AllowInsecureGuestAuth + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths\\\*\SYSVOL + policy_type: regpol + value: RequireMutualAuthentication=1, RequireIntegrity=1 + vtype: SZ +- key: Computer\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths\\\*\NETLOGON + policy_type: regpol + value: RequireMutualAuthentication=1, RequireIntegrity=1 + vtype: SZ +- key: Computer\Software\Policies\Microsoft\Windows\Personalization\NoLockScreenSlideshow + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\EnableScriptBlockLogging + policy_type: regpol + value: '1' + vtype: DWORD +- action: DELETE + key: Computer\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\EnableScriptBlockInvocationLogging + policy_type: regpol +- key: Computer\Software\Policies\Microsoft\Windows\PowerShell\Transcription\EnableTranscripting + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\PowerShell\Transcription\OutputDirectory + policy_type: regpol + value: C + vtype: SZ +- action: DELETE + key: Computer\Software\Policies\Microsoft\Windows\PowerShell\Transcription\EnableInvocationHeader + policy_type: regpol +- key: Computer\Software\Policies\Microsoft\Windows\System\DontDisplayNetworkSelectionUI + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\System\EnableSmartScreen + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\System\ShellSmartScreenLevel + policy_type: regpol + value: Block + vtype: SZ +- key: Computer\Software\Policies\Microsoft\Windows\System\EnumerateLocalUsers + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\Windows Search\AllowIndexingEncryptedStoresOrItems + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\WinRM\Client\AllowBasic + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\WinRM\Client\AllowUnencryptedTraffic + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\WinRM\Client\AllowDigest + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\WinRM\Service\AllowBasic + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\WinRM\Service\AllowUnencryptedTraffic + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows\WinRM\Service\DisableRunAs + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows NT\Printers\DisableWebPnPDownload + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows NT\Printers\DisableHTTPPrinting + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows NT\Rpc\RestrictRemoteClients + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows NT\Terminal Services\DisablePasswordSaving + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows NT\Terminal Services\fDisableCdm + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows NT\Terminal Services\fPromptForPassword + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows NT\Terminal Services\fEncryptRPCTraffic + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\Software\Policies\Microsoft\Windows NT\Terminal Services\MinEncryptionLevel + policy_type: regpol + value: '3' + vtype: DWORD +- key: Computer\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\SYSTEM\CurrentControlSet\Policies\EarlyLaunch\DriverLoadPolicy + policy_type: regpol + value: '3' + vtype: DWORD +- key: Computer\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SMB1 + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\SYSTEM\CurrentControlSet\Services\MrxSmb10\Start + policy_type: regpol + value: '4' + vtype: DWORD +- key: Computer\SYSTEM\CurrentControlSet\Services\Netbt\Parameters\NoNameReleaseOnDemand + policy_type: regpol + value: '1' + vtype: DWORD +- key: Computer\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRouting + policy_type: regpol + value: '2' + vtype: DWORD +- key: Computer\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirect + policy_type: regpol + value: '0' + vtype: DWORD +- key: Computer\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\DisableIPSourceRouting + policy_type: regpol + value: '2' + vtype: DWORD +- name: MinimumPasswordAge + policy_type: secedit + value: '1' +- name: MaximumPasswordAge + policy_type: secedit + value: '60' +- name: MinimumPasswordLength + policy_type: secedit + value: '14' +- name: PasswordComplexity + policy_type: secedit + value: '1' +- name: PasswordHistorySize + policy_type: secedit + value: '24' +- name: LockoutBadCount + policy_type: secedit + value: '3' +- name: ResetLockoutCount + policy_type: secedit + value: '15' +- name: LockoutDuration + policy_type: secedit + value: '15' +- name: ClearTextPassword + policy_type: secedit + value: '0' +- name: LSAAnonymousNameLookup + policy_type: secedit + value: '0' +- name: EnableGuestAccount + policy_type: secedit + value: '0' +- key: MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount + policy_type: regpol + value: '4' + vtype: SZ +- key: MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption + policy_type: regpol + value: '1' + vtype: SZ +- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin + policy_type: regpol + value: '2' + vtype: DWORD +- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser + policy_type: regpol + value: '0' + vtype: DWORD +- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle + policy_type: regpol + value: '0' + vtype: DWORD +- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\InactivityTimeoutSecs + policy_type: regpol + value: '900' + vtype: DWORD +- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\SupportedEncryptionTypes + policy_type: regpol + value: '2147483640' + vtype: DWORD +- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption + policy_type: regpol + value: US Department of Defense Warning Statement + vtype: SZ +- key: MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText + policy_type: regpol + value: 'You are accessing a U.S. Government (USG) Information System (IS) that is + provided for USG-authorized use only. + + By using this IS (which includes any device attached to this IS), you consent + to the following conditions: + + -The USG routinely intercepts and monitors communications on this IS for purposes + including, but not limited to, penetration testing, COMSEC monitoring, network + operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence + (CI) investigations. + + -At any time, the USG may inspect and seize data stored on this IS. + + -Communications using, or data stored on, this IS are not private, are subject + to routine monitoring, interception, and search, and may be disclosed or used + for any USG-authorized purpose. + + -This IS includes security measures (e.g., authentication and access controls) + to protect USG interests--not for your personal benefit or privacy. + + -Notwithstanding the above, using this IS does not constitute consent to PM, LE + or CI investigative searching or monitoring of the content of privileged communications, + or work product, related to personal representation or services by attorneys, + psychotherapists, or clergy, and their assistants. Such communications and work + product are private and confidential. See User Agreement for details.' + vtype: MULTISZ +- key: MACHINE\Software\Policies\Microsoft\Cryptography\ForceKeyProtection + policy_type: regpol + value: '2' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous + policy_type: regpol + value: '0' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\Enabled + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel + policy_type: regpol + value: '5' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\allownullsessionfallback + policy_type: regpol + value: '0' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec + policy_type: regpol + value: '537395200' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec + policy_type: regpol + value: '537395200' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Control\Lsa\pku2u\AllowOnlineID + policy_type: regpol + value: '0' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Control\Lsa\RestrictRemoteSAM + policy_type: regpol + value: O:BAG:BAD:(A;;RC;;;BA) + vtype: SZ +- key: MACHINE\System\CurrentControlSet\Control\Lsa\SCENoApplyLegacyAuditPolicy + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Control\Lsa\UseMachineId + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RestrictNullSessAccess + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword + policy_type: regpol + value: '0' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange + policy_type: regpol + value: '0' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge + policy_type: regpol + value: '30' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongKey + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel + policy_type: regpol + value: '1' + vtype: DWORD +- key: MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel + policy_type: regpol + value: '1' + vtype: DWORD +- name: SeDenyNetworkLogonRight + policy_type: secedit + value: '*S-1-5-32-546' +- name: SeDenyBatchLogonRight + policy_type: secedit + value: '*S-1-5-32-546' +- name: SeDenyInteractiveLogonRight + policy_type: secedit + value: '*S-1-5-32-546' +- name: SeDenyRemoteInteractiveLogonRight + policy_type: secedit + value: '*S-1-5-32-546' +- name: SeInteractiveLogonRight + policy_type: secedit + value: '*S-1-5-32-544' +- name: SeBackupPrivilege + policy_type: secedit + value: '*S-1-5-32-544' +- name: SeCreatePagefilePrivilege + policy_type: secedit + value: '*S-1-5-32-544' +- name: SeCreateGlobalPrivilege + policy_type: secedit + value: '*S-1-5-6,*S-1-5-20,*S-1-5-19,*S-1-5-32-544' +- name: SeCreateSymbolicLinkPrivilege + policy_type: secedit + value: '*S-1-5-32-544' +- name: SeDebugPrivilege + policy_type: secedit + value: '*S-1-5-32-544' +- name: SeRemoteShutdownPrivilege + policy_type: secedit + value: '*S-1-5-32-544' +- name: SeAuditPrivilege + policy_type: secedit + value: '*S-1-5-19,*S-1-5-20' +- name: SeImpersonatePrivilege + policy_type: secedit + value: '*S-1-5-32-544,*S-1-5-19,*S-1-5-20,*S-1-5-6' +- name: SeIncreaseBasePriorityPrivilege + policy_type: secedit + value: '*S-1-5-32-544' +- name: SeLoadDriverPrivilege + policy_type: secedit + value: '*S-1-5-32-544' +- name: SeSecurityPrivilege + policy_type: secedit + value: '*S-1-5-32-544' +- name: SeSystemEnvironmentPrivilege + policy_type: secedit + value: '*S-1-5-32-544' +- name: SeManageVolumePrivilege + policy_type: secedit + value: '*S-1-5-32-544' +- name: SeProfileSingleProcessPrivilege + policy_type: secedit + value: '*S-1-5-32-544' +- name: SeRestorePrivilege + policy_type: secedit + value: '*S-1-5-32-544' +- name: SeTakeOwnershipPrivilege + policy_type: secedit + value: '*S-1-5-32-544' +- name: SeNetworkLogonRight + policy_type: secedit + value: '*S-1-5-32-544,*S-1-5-11' diff --git a/ash-windows/stig/Windows_2022Server_MS/stig_audit.csv b/ash-windows/stig/Windows_2022Server_MS/stig_audit.csv new file mode 100644 index 0000000..a761ea9 --- /dev/null +++ b/ash-windows/stig/Windows_2022Server_MS/stig_audit.csv @@ -0,0 +1,23 @@ +Machine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting,Setting Value +,System,Audit Credential Validation,{0cce923f-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Other Account Management Events,{0cce923a-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit Security Group Management,{0cce9237-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit User Account Management,{0cce9235-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit PNP Activity,{0cce9248-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit Process Creation,{0cce922b-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit Account Lockout,{0cce9217-69ae-11d9-bed3-505054503030},Failure,,2 +,System,Audit Group Membership,{0cce9249-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit Logoff,{0cce9216-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit Logon,{0cce9215-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Special Logon,{0cce921b-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit Other Object Access Events,{0cce9227-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Removable Storage,{0cce9245-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Audit Policy Change,{0cce922f-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Authentication Policy Change,{0cce9230-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit Authorization Policy Change,{0cce9231-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit Sensitive Privilege Use,{0cce9228-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit IPsec Driver,{0cce9213-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Other System Events,{0cce9214-69ae-11d9-bed3-505054503030},Success and Failure,,3 +,System,Audit Security State Change,{0cce9210-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit Security System Extension,{0cce9211-69ae-11d9-bed3-505054503030},Success,,1 +,System,Audit System Integrity,{0cce9212-69ae-11d9-bed3-505054503030},Success and Failure,,3 diff --git a/ash-windows/stig/dodcerts.sls b/ash-windows/stig/dodcerts.sls index d258a02..5113c54 100644 --- a/ash-windows/stig/dodcerts.sls +++ b/ash-windows/stig/dodcerts.sls @@ -711,6 +711,171 @@ CERTS = [ .upper() ), }, + { + 'id': 'SV-254442r921943_rule', + 'keys': [ + r'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\D37ECF61C0B4ED88681EF3630C4E2FC787B37AEF', + ], + 'vdata': base64.b16decode( + '19000000010000001000000064e538af3f9c3db9371ccc5d6d0cbea40f000000' + '0100000030000000fc40844747a19f02135b1a9533f8bb03b52e41cf77d85026' + '9334b82839ddbb40f0ff150daa2600f064a3ae8bd3c814c90300000001000000' + '14000000d37ecf61c0b4ed88681ef3630c4e2fc787b37aef1400000001000000' + '14000000134f3cbbdb5d4529a59470b6daac9e4ce22fc10b2000000001000000' + '79050000308205753082035da003020102020101300d06092a864886f70d0101' + '0c0500305b310b300906035504061302555331183016060355040a130f552e53' + '2e20476f7665726e6d656e74310c300a060355040b1303446f44310c300a0603' + '55040b1303504b49311630140603550403130d446f4420526f6f742043412036' + '3020170d3233303132343136333631375a180f32303533303132343136333631' + '375a305b310b300906035504061302555331183016060355040a130f552e532e' + '20476f7665726e6d656e74310c300a060355040b1303446f44310c300a060355' + '040b1303504b49311630140603550403130d446f4420526f6f74204341203630' + '820222300d06092a864886f70d01010105000382020f003082020a0282020100' + 'bca81bbed30e753a41bc7f0dd17874bf8ad729f401050b8113c2e9ad7f0952fa' + 'd9b1054dee9493c04c81c2fd308e83a4e4b2f8a3bf0b7c44976680e5108f5bbf' + 'f8f128e82eed80180ce6dd114779180852368f5b5139b2785d514468b94a245f' + '64cad09e83bf1c67fbe51b9e6d5024e584055ad3d141fa9f58957e53363bef13' + '9efb801faf78e20e41d176ba28de0ea70df6e8bc6b1cee049c0b239a23bb50b2' + 'b01ad067fc9e39b30df7f208b2f153d8035d11567a41d0a14edc2685db40c457' + 'b395a8a8241e3df384c4e5a3782bbe9079af6fce68d0d4f9a7db7b4673354dc2' + '9c9163b84ecf9bfb49a9f06504c9ef19ba4549132ee1e315d5707f4c74f39b78' + '0e38685d9e1662466a4f4606347067825debd27314481c696d0f2598e7e1f83e' + '62ad4ac1c5460f6017acaed0bf2f4b31401cce32a5186ccba9373de50e29593d' + 'cb9ea3d7cd77207815abbddf6ad6d77fe3f42f0ab736c081800fce6baec11331' + '752dc95c1f2bdd9b5cfcc225b17c5b5dba8931d5202d9d33195a12d15a7c5afc' + '6dede288afde067d01dabdbd8f5feded1b60673a827816036b11b4b6f35ee787' + 'ad4bc3cd051c8ee16cc99f6086955df91daae1c638e8faaee0955c88c42275af' + 'ed28ba61fbf357ebe13ee6fc7e6e139f2a4a2aaa7eed448a1c6c7f872221fd00' + 'd0be1ae631c603006378269232c525a0f808ea6fb6fe1d0f1df87eff3669e9b1' + '0203010001a3423040301d0603551d0e04160414134f3cbbdb5d4529a59470b6' + 'daac9e4ce22fc10b300e0603551d0f0101ff040403020186300f0603551d1301' + '01ff040530030101ff300d06092a864886f70d01010c05000382020100b69cd9' + 'e10283d63721090cfb6a7ba3ab21f03817838825d9033da63a28c583fd0eb19f' + '99a9228ef5c8cdf54dc87de47338914fbf2af50fa023963a2cb82c39275810f3' + '35d0fe91750c1aa42efbe81e225409cfc25fd841e97afe6346976c0d5281c2e5' + '763f7e90247cc6809876d364ceeaa9d1c80bb86dbf24e7030697c59105add58a' + 'c7e48d15f0d8df0253b2e3f9faef86e46cff746e0a822fed5e14bff6b85da543' + '2116ced40c833971c1916c7370b295f8dc9cad55beb54e6d1398a820add43b75' + '1496fc816d8ee72345b0f9f9c0fc357935ce10fedb056166729efd6313bff607' + '467a357f0c9e85bfb73c5ca2b8b126a9711fc550f90787d7aa4852977058d74c' + '12a6f0a9bd8b7c1bb080d25d12d9e2ddad851b6da581c02dd7b5ba0b143c5dbe' + 'f109ddef40af2e64e3e84785db6260f68dbfb1d5560ec9f11f0f9bd3024e4ec0' + 'e782bf74b5d9c2deaa40b23e35142eac560c643ebfa38d3ea6e6ae80efdce22f' + '7702d1604f93991aa3de23e4d0e5ff30acbb949e8c68d6a2321ffd314f69b80b' + 'c7ea334ef08ba519728785eb57081d22c4ce0e7c76c44dcc7f1918b3fa8bfaf9' + 'bf616fcacf114a7e5729c3ba3a662152d611a07d9858d9f9847775673917340d' + '57b0791b61bb42e56286cb6d31954f5282f3dfcfe70dadd16dc9637b940c8ccb' + '030403b2aa9ad42df2925e3dc8dbc73c1daa87ed34aae4dee7293281c5' + .upper() + ), + }, + { + 'id': 'SV-254443r890553_rule', + 'keys': [ + r'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\49CBE933151872E17C8EAE7F0ABA97FB610F6477', + ], + 'vdata': base64.b16decode( + '0f0000000100000020000000218c13a44c41140235dbc6282efd960147673155' + 'bd10530b93a1e604cfe7bb8d03000000010000001400000049cbe933151872e1' + '7c8eae7f0aba97fb610f647720000000010000004a050000308205463082042e' + 'a0030201020202087b300d06092a864886f70d01010b0500306c310b30090603' + '5504061302555331183016060355040a130f552e532e20476f7665726e6d656e' + '74310c300a060355040b1303446f44310c300a060355040b1303504b49312730' + '250603550403131e446f4420496e7465726f7065726162696c69747920526f6f' + '742043412032301e170d3231313131363134353731365a170d32343131313631' + '34353731365a305b310b300906035504061302555331183016060355040a130f' + '552e532e20476f7665726e6d656e74310c300a060355040b1303446f44310c30' + '0a060355040b1303504b49311630140603550403130d446f4420526f6f742043' + '41203330820122300d06092a864886f70d01010105000382010f003082010a02' + '82010100a9ec14728ae84b70a3da100384a6fba7360d2a3a5216bf3015528605' + '4720cfaaa6cd75c4646eeff16023cb0a6640aeb4c8682a0051684937e959324d' + '95bc4327e9408d3a10ce14bc4318a1f9decce78576735e181a235bbd3f1ff2ed' + '8d19cc03d140a48fa720024c275a7936f6a337218e005a0616cad355966f3129' + 'bb720ecbe24851f2d437a435d66fee17b3b106ab0b1986e8236d311b287865c5' + 'de6252bcc17debeea05d5404fbb2cb2bb2235491824cf0bfba74403b0c044580' + '675cc5eba257c31a7f0a2dbd7fb9dcc199b0c807e40c8636943a252ff27de697' + '3c1b94b4975906c93ae40bd9eae9fc3b73346ffde798e4f3a1c2905f1cf53f2e' + 'd719d37f0203010001a3820201308201fd301f0603551d23041830168014fff8' + 'ae138b922b799241a3765c2c819e9ac59c78300f0603551d130101ff04053003' + '0101ff300e0603551d0f0101ff04040302010630470603551d1f0440303e303c' + 'a03aa0388636687474703a2f2f63726c2e646973612e6d696c2f63726c2f444f' + '44494e5445524f5045524142494c495459524f4f544341322e63726c301d0603' + '551d0e041604146c8a94a277b180721d817a16aaf2dcce66ee45c0307c06082b' + '060105050701010470306e304a06082b06010505073002863e687474703a2f2f' + '63726c2e646973612e6d696c2f697373756564746f2f444f44494e5445524f50' + '45524142494c495459524f4f544341325f49542e703763302006082b06010505' + '0730018614687474703a2f2f6f6373702e646973612e6d696c30760603551d20' + '046f306d300b0609608648016502010b24300b0609608648016502010b27300b' + '0609608648016502010b2a300c060a6086480165030201030d300c060a608648' + '01650302010311300c060a60864801650302010327300c060a60864801650302' + '010328300c060a60864801650302010329300f0603551d240101ff0405300380' + '0100304a06082b0601050507010b043e303c303a06082b06010505073005862e' + '687474703a2f2f63726c2e646973612e6d696c2f69737375656462792f444f44' + '524f4f544341335f49422e703763300d06092a864886f70d01010b0500038201' + '0100dc97193aefa99324086b43e2a1bcac0867a87d7c95562efdb8906342505d' + '912affb377545066b10d2562dbcc05b5f570d599a0c7a9e7c33e731c5d9b7ac0' + '558b82fd53531f7b32b8fa0ce7035b3cd0f7cf50150c576a0a2068fb9fe1749c' + '8074ce4e50ec75b971558529791b9df893f8e50051f5d62c1b84f0a6ee2eee47' + '896fffa9a22d0b99d3a5f81cdb0468ebf2de8086086c0f6aa5f5ee021bf4d3e9' + '9963c67ff8f78f6e034ab21002eb8ebb4b2709cf9fc601c21e0fac25aaa012ea' + '00b99ebcaf4cd4f30062b7c4619d02efefc5bab7a2ec8e7307fcb25254165dbe' + '1e66b19eb355b3597eb70d178c294f0c3918cd4c0dd5008e58afb8455420d204' + 'a003' + .upper() + ), + }, + { + 'id': 'SV-254444r894343_rule', + 'keys': [ + r'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\9B74964506C7ED9138070D08D5F8B969866560C8', + ], + 'vdata': base64.b16decode( + '0f00000001000000200000007ed1d675f37b9e355c9ff616846b03f83d1f3534e' + '5748dc868e304b1e19fecf40300000001000000140000009b74964506c7ed9138' + '070d08d5f8b969866560c820000000010000001905000030820515308203fda00' + '3020102020205c7300d06092a864886f70d01010b05003074310b300906035504' + '061302555331183016060355040a130f552e532e20476f7665726e6d656e74310' + 'c300a060355040b1303446f44310c300a060355040b1303504b49312f302d0603' + '5504031326555320446f44204343454220496e7465726f7065726162696c69747' + '920526f6f742043412032301e170d3232303731393133353632325a170d323530' + '3731383133353632325a305b310b3009060355040613025553311830160603550' + '40a130f552e532e20476f7665726e6d656e74310c300a060355040b1303446f44' + '310c300a060355040b1303504b49311630140603550403130d446f4420526f6f7' + '4204341203330820122300d06092a864886f70d01010105000382010f00308201' + '0a0282010100a9ec14728ae84b70a3da100384a6fba7360d2a3a5216bf3015528' + '6054720cfaaa6cd75c4646eeff16023cb0a6640aeb4c8682a0051684937e95932' + '4d95bc4327e9408d3a10ce14bc4318a1f9decce78576735e181a235bbd3f1ff2e' + 'd8d19cc03d140a48fa720024c275a7936f6a337218e005a0616cad355966f3129' + 'bb720ecbe24851f2d437a435d66fee17b3b106ab0b1986e8236d311b287865c5d' + 'e6252bcc17debeea05d5404fbb2cb2bb2235491824cf0bfba74403b0c04458067' + '5cc5eba257c31a7f0a2dbd7fb9dcc199b0c807e40c8636943a252ff27de6973c1' + 'b94b4975906c93ae40bd9eae9fc3b73346ffde798e4f3a1c2905f1cf53f2ed719' + 'd37f0203010001a38201c8308201c4301f0603551d23041830168014162b91dae' + '2170c96ab5c7dde7d48f25da800ace7301d0603551d0e041604146c8a94a277b1' + '80721d817a16aaf2dcce66ee45c0300e0603551d0f0101ff04040302010630300' + '603551d2004293027300b0609608648016502010b24300b060960864801650201' + '0b27300b0609608648016502010b2a300f0603551d130101ff040530030101ff3' + '00f0603551d240101ff04053003800100304d0603551d1f044630443042a040a0' + '3e863c687474703a2f2f63726c2e646973612e6d696c2f63726c2f5553444f444' + '3434542494e5445524f5045524142494c495459524f4f544341322e63726c3081' + '8206082b0601050507010104763074305006082b0601050507300286446874747' + '03a2f2f63726c2e646973612e6d696c2f697373756564746f2f5553444f444343' + '4542494e5445524f5045524142494c495459524f4f544341325f49542e7037633' + '02006082b060105050730018614687474703a2f2f6f6373702e646973612e6d69' + '6c304a06082b0601050507010b043e303c303a06082b06010505073005862e687' + '474703a2f2f63726c2e646973612e6d696c2f69737375656462792f444f44524f' + '4f544341335f49422e703763300d06092a864886f70d01010b050003820101003' + '48309c512b15ce9b12b650ddfa62347e8e55d9dde66dc76bda8de3e0a8d8c6646' + 'ebc2661604ad9d3be77d1ce3ce8a02587102e04b8701ff5fbe5dbdc1bd3beeb69' + '6510fbdb3deaae1a4dd2967b94610bd7163ad691019eae3da3b4afc9dd39010a3' + '15ef1905e1b4e520b0929a83ad3b90e4cdcda3396da29c832e39b1abb964386d0' + '6c73c8e8bd4d0ba6027e140d8c3b564204b3b4c470c674f454922e0c934cb931d' + '40dff0c44a297815e5c60b0b902b7b116611190e589e8cee94abcf75bf150d3d6' + 'fcedeeffe74fa155196e64a513163c4121e269a33d14e109afa422c6a8ab65304' + '6f4ed0f7f77d17c2b669f87999c1ef61ab217cbf64b244edb9498106' + .upper() + ), + }, ] def run(): diff --git a/ash-windows/tools/convert-lgpo-policy.py b/ash-windows/tools/convert-lgpo-policy.py index 4d01c4a..deb46eb 100644 --- a/ash-windows/tools/convert-lgpo-policy.py +++ b/ash-windows/tools/convert-lgpo-policy.py @@ -9,7 +9,7 @@ REG_CODE_MAP = {"1": "SZ", "2": "EXSZ", "3": "BINARY", "4": "DWORD", "7": "MULTISZ"} REG_MODES = ("DELETE", "DELETEALLVALUES", "CREATEKEY") REG_HIVES = ("USER", "COMPUTER") -REG_TYPES = ("DWORD", "SZ", "EXSZ") +REG_TYPES = ("DWORD", "SZ", "EXSZ", "MULTISZ") def _convert_regpol(src): @@ -37,7 +37,7 @@ def _convert_regpol(src): policy["action"] = src[index + 3] else: policy["vtype"] = src[index + 3].split(":")[0] - policy["value"] = src[index + 3].split(":")[1] + policy["value"] = src[index + 3].split(":")[1].replace("\\0", "\n") policies.append(policy) except IndexError as exc: raise SystemError( @@ -73,7 +73,16 @@ def _convert_secedit(src): policy["key"] = line.split("=")[0].strip() policy["vtype"] = REG_CODE_MAP[line.split("=")[1].split(",")[0].strip()] policy["value"] = ( - "".join(line.split("=")[1].split(",")[1:]).strip().strip('"') + ",".join( + [ + segment.replace(",", "\n") + for segment in ",".join( + line.split("=")[1].split(",")[1:] + ).split('","') + ] + ) + .strip() + .strip('"') ) if not policy["vtype"].upper() in REG_TYPES: print(